Method, system, device for proving authenticity of an entity or integrity of a message

ABSTRACT

The invention concerns a method whereby the proof is established by: m(≧1) pairs of private Q i  and public G i =g i   2  values; a public module n formed by the product of f(≧2) prime factors; an exponent v=2 k (k&gt;1), linked by the relationships of the type: G i −Q i   v ≡1. mod n or G i ≡Q i   v  mod n. Among the m numbers obtained by increasing Q i  or its inverse modulo n to modulo n square, k−1 times rank, at least one of them is different from ±g i . Among the 2 m  equations: x 2 ≡g i  mod n, x 2 ≡−g i  mod n, at least one of them has solutions in x in the ring of modulo n integers.

CROSS-REFERENCE TO RELATED APPLICATION

This Application is a Section 371 National Stage of InternationalApplication No. PCT/FR00/02717 filed Sep. 29, 2000, published Apr. 12,2001 as WO 01/26279, not in English.

BACKGROUND OF THE INVENTION

The present invent ion relates to the methods, systems and devicesdesigned to prove the authenticity of an entity and/or the integrityand/or authenticity of a message.

The patent EP 0 311 470 B1, whose inventors are Louis Guillou andJean-Jacques Quisquater, describes such a method. Hereinafter, referenceshall be made to their work by the terms “GQ patent” or “GQ method”.Hereinafter, the expression “GQ2”, or “GQ2 invention” or “GQ2technology” shall be used to describe the present invention.

According to the GQ method, an entity known as a “trusted authority”assigns an identity to each entity called a “witness” and computes itsRSA signature. In a customizing process, the trusted authority gives thewitness an identity and signature. Thereafter, the witness declares thefollowing: “Here is my identity; I know its RSA signature”. The witnessproves that he knows the RSA signature of his identity without revealingit. Through the RSA public identification key distributed by the trustedauthority, an entity known as a “controller” ascertains, withoutobtaining knowledge thereof, that the RSA signature corresponds to thedeclared identity. The mechanisms using the GQ method run “withouttransfer of knowledge”. According to the GQ method, the witness does notknow the RSA private key with which the trusted authority signs a largenumber of identities.

The GQ technology described above makes use of RSA technology. However,whereas RSA technology truly depends on the factorization of the modulusn, this dependence is not an equivalence, indeed far from it, as can beseen in what are called “multiplicative attacks” against the variousstandards of digital signatures implementing RSA technology.

The goal of the GQ2 technology is twofold: on the one hand, to improvethe performance characteristics of RSA technology and, on the otherhand, to avert the problems inherent in RSA technology. Knowledge of theGQ2 private key is equivalent to knowledge of the factorization of themodulus n. Any attack on the triplets GQ2 leads to factorization of themodulus n: this time there is equivalence. With the GQ2 technology, thework load is reduced both for the signing or self-authenticating entityand for the controller entity. Through a better use of the problem offactorizing in terms of both security and performance, the GQ2technology averts the drawbacks of RSA technology.

The GQ method implements modulo computations of numbers comprising 512bits or more. These computations relate to numbers having substantiallythe same size raised to powers of the order of 2¹⁶+1. But existingmicroelectronic infrastructures, especially in the field of bank cards,make use of monolithic self-programmable microprocessors withoutarithmetical coprocessors. The work load related to the multiplearithmetical applications involved in methods such as the GQ methodleads to computation times which, in certain cases, prove to bedisadvantageous for consumers using bank cards to pay for theirpurchases. It may be recalled here that, in seeking to increase thesecurity of payment cards, the banking authorities have raised a problemthat is particularly difficult to solve. In fact, two apparentlycontradictory questions have to be examined: on the one hand, increasingsecurity by using increasingly lengthy and distinct keys for each cardwhile, on the other hand, preventing the work load from leading toexcessive computation times for the users. This problem becomesespecially acute inasmuch as it is also necessary to take account of theexisting infrastructure and the existing microprocessor components.

The GQ2 technology is aimed at providing a solution to this problemwhile still increasing security.

Method

SUMMARY OF THE INVENTION

More particularly, the invention relates to a method designed to provethe following to a controller entity:

the authenticity of an entity and/or

the integrity of a message M associated with this entity.

This proof is established by means of all or part of the followingparameters or derivatives of these parameters:

m pairs of private values Q₁, Q₂, . . . Q_(m) and public values G₁, G₂,. . . G_(m) (m being greater than or equal to 1),

a public modulus n constituted by the product of f prime factors p₁, p₂,. . . p_(f) (f being greater than or equal to 2).

Said modulus and said private and public values are related byrelationships of the type:G _(i) ·Q _(i) ^(v)≡1. mod n or G _(i) ≡Q _(i) ^(v) mod n

where v represents a public exponent of the typev=2^(k)

where k is a security parameter greater than 1,

said m public values G_(i) being the squares g_(i) ² of m distinct basenumbers g₁ g₂, . . . g_(m) inferior to the f prime factors p₁, p₂, . . .p_(f); said f prime factors p₁, p₂, . . . p_(f) and/or said m basenumbers g₁ g₂, . . . g_(m) being produced in such a way that thefollowing conditions are satisfied.First Condition:

According to the first condition, each of the equationsx ^(v) ≡g _(i) ² mod n  (1)

has solutions in x in the ring of integers modulo n.

Second Condition:

According to the second condition, in the case where G₁≡Q_(i) ^(v) modn, among the m numbers q_(i) obtained by raising Q_(i) to the squaremodulo n, k−1 rank times, one of them is different from ±g_(i)(that isto say non-trivial).

According to the second condition, in the case where G_(i)·Q_(i)^(v)≡1.mod n, among the m numbers q_(i) obtained by raising the inverseof Q_(i) modulo n to the square modulo n, k−1 rank times, one of them isdifferent from ±g_(i) (that is to say non-trivial).

It is to be noted here that according to current notation ±g_(i)represents the number g_(i) and n−g_(i).

Third Condition:

According to the third condition, among the 2 m equations:x ² ≡g _(i) mod n  (2)x ² ≡−g _(i) mod n  (3)

at least one of them has solutions in x in the ring of integers modulon.

The method implements an entity called a witness in the steps definedhere below. Said witness entity has f prime factors p_(i) and/or m basenumbers g_(i) and/or parameters of the Chinese remainders of the primefactors and/or the public modulus n and/or the m private values Q_(i)and/or the f.m components Q_(i,j)(Q_(i,j)≡Q_(i) mod p_(j)) of theprivate values Q_(i) and of the public exponent v.

The witness computes commitments R in the ring of integers modulo n.Each commitment is computed either by:

performing operations of the typeR≡r ^(v) mod n

Where r is a random value such that 0<r<n,

or

** by performing operations of the typeR _(i) ≡r _(i) ^(v) mod p _(i)

where r_(i) is a random value associated with the prime number p_(i)such that 0<r_(i)<p_(i), each r_(i) belonging to a collection of randomvalues {r₁, r₂, . . . r_(f)},

** then by applying the Chinese remainder method.

The witness receives one or more challenges d. Each challenge dcomprises m integers d_(i) hereinafter called elementary challenges. Thewitness, on the basis of each challenge d_(i) computes a response D,

either by performing operations of the type:D≡r.Q ₁ ^(d1) .Q ₂ ^(d2).Q_(m) ^(dm) mod n

or

** by performing operations of the type:D _(i) ≡r _(i) .Q _(i,1) ^(d1) ,Q _(i2) ^(d2) . . . . Q _(i,m) ^(dm) modp _(i)

** then by applying the Chinese remainder method.

The method is such that there are as many responses D as there arechallenges d as there are commitments R. Each group of numbers R, d, Dforms a triplet referenced {R, d, D}.

Case of the Proof of the Authenticity of an Entity

In a first variant of an embodiment, the method according to theinvention is designed to prove the authenticity of an entity known as ademonstrator to an entity known as the controller. Said demonstratorentity comprises the witness. Said demonstrator and controller entitiesexecute the following steps:

Step 1: Act of Commitment R

At each call, the witness computes each commitment R by applying theprocess specified above. The demonstrator sends the controller all orpart of each commitment R.

Step 2: Act of Challenge d

The controller, after having received all or part of each commitment R,produces challenges d equal in number to the number of commitments R andsends the challenges d to the demonstrator.

Step 3: Act of Response D

The witness computes the responses D from the challenges d by applyingthe process specified above.

Step 4: Act of Checking

The demonstrator sends each response D to the controller.

First Case: The Demonstrator has Transmitted a Part of Each CommitmentR.

If the demonstrator has transmitted a part of each commitment R, thecontroller, having the m public values G₁, G₂, . . . , G_(m), computes areconstructed commitment R′, from each challenge d and each response D,this reconstructed commitment R′ satisfying a relationship of the typeR′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod nor a relationship of the typeR′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm). mod n.

The controller ascertains that each reconstructed commitment R′reproduces all or part of each commitment R that has been transmitted toit.

Second Case: The Demonstrator has Transmitted the Totality of EachCommitment R

If the demonstrator has transmitted the totality of each commitment R,the controller, having the m public values G₁, G₂, . . . , G_(m),ascertains that each commitment R satisfies a relationship of the typeR≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod n

or a relationship of the typeR≡D ^(v) /G ₁ ^(d1) . G ₂ ^(d2) . . . . G _(m) ^(dm). mod n.Case of the Proof of the Integrity of the Message

In a second variant of an embodiment capable of being combined with thefirst one, the method according to the invention is designed to provideproof to an entity, known as the controller entity, of the integrity ofa message M associated with an entity called a demonstrator entity. Saiddemonstrator entity comprises the witness.

Said demonstrator and controller entities perform the following steps:

Step 1: Act of Commitment R

At each call, the witness computes each commitment R by applying theprocess specified above.

Step 2: Act of Challenge d

The demonstrator applies a hashing function h whose arguments are themessage M and all or part of each commitment R to compute at least onetoken T. The demonstrator sends the token T to the controller. Thecontroller, after having received a token T, produces challenges d equalin number to the number of commitments R and sends the challenges d tothe demonstrator.

Step 3: Act of Response D

The witness computes the responses D from the challenges d by applyingthe process specified above.

Step 4: Act of Checking

The demonstrator sends each response D to the controller. Thecontroller, having the m public values G₁, G₂, . . . G_(m), computes areconstructed commitment R′, from each challenge d and each response D,this reconstructed commitment R′ satisfying a relationship of the type:R′≡G ₁ ^(d1) . G ₂ ^(d2) . . . . G _(m) ^(dm) . D ^(v) mod n

or a relationship of the typeR′≡D ^(v) /G ₁ ^(d1) . G ₂ ^(d2) . . . . G _(m) ^(dm). mod n.

Then the controller applies the hashing function h whose arguments arethe message M and all or part of each reconstructed commitment R′ toreconstruct the token T′. Then the controller ascertains that the tokenT′ is identical to the token T transmitted.

Digital Signature of a Message and Proof of its Authenticity

In a third variant of an embodiment according to the invention, capableof being combined with the two preceding embodiments, the methodaccording to the invention is designed to produce the digital signatureof a message M by an entity known as the signing entity. Said signingentity includes the witness.

Signing Operation

Said signing entity executes a signing operation in order to obtain asigned message comprising:

the message M,

the challenges d and/or the commitments R,

the responses D.

Said signing entity executes the signing operation by implementing thefollowing steps:

Step 1: Act of Commitment R

At each call, the witness computes each commitment R by applying theprocess specified above.

Step 2: Act of Challenge d

The signing entity applies a hashing function h whose arguments are themessage M and each commitment R to obtain a binary train. From thisbinary train, the signing entity extracts challenges d in a number equalto the number of commitments R.

Step 3: Act of Response D

The witness computes the responses D from the challenges d by applyingthe process specified process above.

Checking Operation

To prove the authenticity of the message M, an entity called acontroller checks the signed message. Said controller entity having thesigned message carries out a checking operation by proceeding asfollows,

Case Where the Controller has Commitments R, Challenges d, Responses D

If the controller has commitments R, challenges d, responses D, thecontroller ascertains that the commitments R, the challenges d and theresponses D satisfy relationships of the type:R≡G ₁ ^(d1) .G ₂ ^(d2) .G _(m) ^(dm) .D ^(v) mod n

or relationships of the type:R≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . G _(m) ^(dm). mod n.

Then the controller ascertains that the message M, the challenges d andthe commitments R satisfy the hashing function:d=h(message, R)

Case Where the Controller has Challenges d and Responses D

If the controller has challenges d and responses D, the controller, onthe basis of each challenge d and each response D, reconstructscommitments R′ satisfying relationships of the type:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod n

or relationships of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm). mod n.

Then the controller ascertains that the message M and the challenges dsatisfy the hashing function:D=h(message, R′)

Case Where the Controller has Commitments R and Responses D

If the controller has commitments R and responses D, the controllerapplies the hashing function and reconstructs d′d′=h(message, R).

Then the controller ascertains that the commitments R, the challenges d′and the responses D satisfy relationships of the type:^(R≡G) ₁ ^(d′1) .G ₂ ^(d′2) .G _(m) ^(d′m) .D ^(v) mod nor relationships of the type:R≡D ^(v) G ₁ ^(d′1) .G ₂ ^(d′2) . . . . G _(m) ^(d′m). mod n.System

The present invention also relates to a system designed to prove thefollowing to a controller server:

the authenticity of an entity and/or

the integrity of a message M associated with this entity.

This proof is established by means of all or part of the followingparameters or derivatives of these parameters:

m pairs of private values Q₁, Q₂, . . . Q_(m) and public values G₁, G₂,. . . G_(m) (m being greater than or equal to 1),

a public modulus n constituted by the product of f prime factors p₁, p₂,. . . p_(f) (f being greater than or equal to 2).

Said modulus, and said private and public values are linked byrelationships of the type:G _(i) .Q _(i) ^(v)≡1. mod n or G_(i)≡Q_(i) ^(v) mod n

v designating a public exponent of the type:v=2^(k)

where k is a security parameter greater than 1,

said m public values G_(i) being the squares g_(i) ² of distinct m basenumbers g₁, g₂, . . . g_(m) inferior to the f prime factors p₁, p₂, . .. p_(f); said f prime factors p₁, p₂, . . . p_(f) and/or said m basenumbers g₁, g₂ . . . g_(m) being produced such that the followingconditions are satisfied.

First Condition

According to the first condition, each of the equations:x ^(v) ≡g _(i) ² mod n  (1)

can be solved in x in the ring of integers modulo n.

Second condition

According to the second condition, in the case where G_(i)≡Q_(i) ^(v).mod n, among the m numbers q_(i) obtained by raising Q_(i) to the squaremodulo n, k−1 rank times, one of them is different from ±g_(i) (that isto say non trivial).

According to the second condition, in the case where G_(i). Q_(i) ^(v)≡1mod n, among the m numbers q_(i) obtained by raising the inverse ofQ_(i) modulo n to the square modulo n, k−1 rank times, one of them isdifferent from ±g_(i) (that is to say non trivial).

It is pointed out here that according to a current notation ±g_(i)represents the numbers g_(i) and n−g_(i).

Third Condition:

According to the third condition, among the 2 m equations:x² ≡g _(i) mod n  (2)x ² ≡g _(i) mod n  (3)

at least one of them can be solved in x in the ring of integers modulon.

Said system comprises a witness device, contained especially in a nomadobject which, for example, takes the form of a microprocessor-based bankcard. The witness device comprises a memory zone containing the f primefactors p_(i) and/or the parameters of the Chinese remainders of theprime factors and/or the public modulus n and/or the m private valuesQ_(i) and/or f.m components Q_(i,j)(Q_(i,j)≡Q_(i)mod p_(j)) of theprivate values Q_(i) and of the public exponent v. The witness devicealso comprises:

random value production means hereinafter called random value productionmeans of the witness device,

computation means, hereinafter called means for the computation ofcommitments R of the witness device.

The means of computation make it possible to compute commitments R inthe ring of integers modulo n. Each commitment is computed

either by performing operations of the typeR≡r ^(v) mod n

where r is a random value produced by the random factor productionmeans, r being such that 0<r<n.

or by performing operations of the typeR _(i) ≡r _(i) ^(v) mod p _(i)

where r_(i) is a random value associated with the prime number p_(i)such that 0<r_(i)<p_(i), each r_(i) belonging to a collection of randomvalues {r₁, r₂, . . . r_(f)}, produced by the random factor productionmeans and then by applying the Chinese remainder method.

The witness device also comprises:

reception means hereinafter called the means for the reception of thechallenges d of the witness device, to receive one or more challenges d;each challenge d comprising m integers d_(i) hereinafter calledelementary challenges.

computation means, hereinafter called means for the computation of theresponses D of the witness device, for the computation on the basis ofeach challenge d, of a response D:

either by carrying out operations of the type:D≡r.Q ₁ ^(d1) Q ₂ ^(d2) . . . . Q _(m) ^(dm) mod n

or by carrying out operations of the type:D _(i) ≡r _(i) .Q _(i,1) ^(d1) .Q _(i,2) ^(d2) . . . . Q _(i,m) ^(dm)mod p _(i)

and then by applying the Chinese remainder method.

The witness device also comprises transmission means to transmit one ormore commitments R and one or more responses D. There are as manyresponses D as there are challenges d as there are commitments R. Eachgroup of numbers R, d, D forming a triplet referenced {R, d, D}.

Case of the Proof of the Authenticity of an Entity

In a first variant of embodiment, the system according to the inventionis designed to prove the authenticity of an entity called a demonstratorto an entity called a controller.

Said system is such that it comprises a demonstrator device associatedwith a demonstrator entity. Said demonstrator device is interconnectedwith the witness device by interconnection means. It may especially takethe form of logic microcircuits in a nomad object, for example the formof a microprocessor in a microprocessor-based bank card.

Said system also comprises a controller device associated with thecontroller entity. Said controller device especially takes the form of aterminal or remote server. Said controller device comprises connectionmeans for its electrical, electromagnetic, optical or acousticconnection, especially through a computer communications network, to thedemonstrator device.

Said system is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above. The witness device comprises means of transmission,hereinafter called the transmission means of the witness device, totransmit all or part of each commitment R to the demonstrator devicethrough the interconnection means. The demonstrator device alsocomprises transmission means, hereinafter called the transmission meansof the demonstrator, to transmit all or part of each commitment R to thecontroller device through the connection means.

Step 2: Act of Challenge d

The controller device comprises challenge production means for theproduction, after receiving all or part of each commitment R, of thechallenges d equal in number to the number of commitments R. Thecontroller device also comprises transmission means, hereinafter calledthe transmission means of the controller, to transmit the challenges dto the demonstrator through the connection means.

Step 3: Act of Response D

The means of reception of the challenges d of the witness device receiveeach challenge d coming from the demonstrator device through theinterconnection means. The means of computation of the responses D ofthe witness device compute the responses D from the challenges d byapplying the process specified above.

Step 4: Act of Checking

The transmission means of the demonstrator transmit each response D tothe controller. The controller device also comprises:

computation means, hereinafter called the computation means of thecontroller device,

comparison means, hereinafter called the comparison means of thecontroller device.

First Case: the Demonstrator has Transmitted a Part of Each CommitmentR.

If the transmission means of the demonstrator have transmitted a part ofeach commitment R, the computation means of the controller device,having m public values G₁, G₂, . . . G_(m), compute a reconstructedcommitment R′, from each challenge d and each response D, thisreconstructed commitment R′ satisfying a relationship of the type:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) . D ^(v) mod n

or a relationship of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n.

The comparison means of the controller device compare each reconstructedcommitment R′ with all or part of each commitment R received.

Second Case: The Demonstrator has Transmitted the Totality of EachCommitment R

If the transmission means of the demonstrator have transmitted thetotality of each commitment R, the computation means and the comparisonmeans of the controller device, having m public values G₁, G₂, . . . ,G_(m), ascertain that each commitment R satisfies a relationship of thetype:R≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) . D ^(v) mod n

or a relationship of the type:R≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n.Case of the Proof of the Integrity of a Message

In a second variant embodiment capable of being combined with the firstone, the system according to the invention is designed to give proof toan entity, known as a controller of the integrity of a message Massociated with an entity known as a demonstrator. Said system is suchthat it comprises a demonstrator device associated with the demonstratorentity. Said demonstrator device is interconnected with the witnessdevice by interconnection means. It may especially take the form oflogic microcircuits in a nomad object, for example in the form of amicroprocessor in a microprocessor-based bank card. Said system alsocomprises a controller device associated with the controller entity.Said controller device especially takes the form of a terminal or remoteserver. Said controller device comprises connection means for itselectrical, electromagnetic, optical or acoustic connection, especiallythrough a data-processing communications network, to the demonstratordevice.

Said system is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above. The witness device has means of transmission,hereinafter called transmission means of the witness device, to transmitall or part of each commitment R to the demonstrator device through theinterconnection means.

Step 2: Act of Challenge d

The demonstrator device comprises computation means, hereinafter calledthe computation means of the demonstrator, applying a hashing function hwhose arguments are the message M and all or part of each commitment Rto compute at least one token T. The demonstrator device also comprisestransmission means, hereinafter known as the transmission means of thedemonstrator device, to transmit each token T through the connectionmeans to the controller device. The controller device also has challengeproduction means for the production, after having received the token T,of the challenges d in a number equal to the number of commitments R.The controller device also has transmission means, hereinafter calledthe transmission means of the controller, to transmit the challenges dto the demonstrator through the connection means.

Step 3: Act of Response D

The means of reception of the challenges d of the witness device receiveeach challenge d coming from the demonstrator device through theinterconnection means. The means of computation of the responses D ofthe witness device compute the responses D from the challenges d byapplying the process specified above.

Step 4: Act of Checking

The transmission means of the demonstrator transmit each response D tothe controller. The controller device also comprises computation means,hereinafter called the computation means of the controller device,having m public values G₁, G₂, . . . , G_(m), to firstly compute areconstructed commitment R′, from each challenge d and each response D,this reconstructed commitment R′ satisfying a relationship of the type:R′≡G ₁ ^(d1) . G ₂ ^(d2) . . . . G _(m) ^(dm) . D ^(v) mod n

or a relationship of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n

and then, secondly, to compute a token T′ by applying the hashingfunction h having as arguments the message M and all or part of eachreconstructed commitment R′.

The controller device also has comparison means, hereinafter known asthe comparison means of the controller device, to compare the computedtoken T′ with the received token T.

Digital Signature of a Message and Proof of its Authenticity

In a third variant of an embodiment according to the invention, capableof being combined with one and/or the other of the first twoembodiments, the system according to the invention is designed to provethe digital signature of a message M, hereinafter known as a signedmessage, by a n entity called a signing entity.

The signed message comprises:

the message M,

the challenges d and/or the commitments R,

the responses D.

Signing Operation

Said system is such that it comprises a signing device associated withthe signing entity. Said signing device is interconnected with thewitness device by interconnection means and may especially take the formof logic microcircuits in a nomad object, for example in the form of amicroprocessor in a microprocessor-based bank card.

Said system is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above. The witness device comprises means of transmission,hereinafter called the transmission means of the witness device, totransmit all or part of each commitment R to the signing device throughthe interconnection means.

Step 2: Act of Challenge d

The signing device comprises computation means, hereinafter called thecomputation means of the signing device, applying a hashing function hwhose arguments are the message M and all or part of each commitment Rto compute a binary train and extract, from this binary train,challenges d whose number is equal to the number of commitments R.

Step 3: Act of Response D

The means for the reception of the challenges d of the witness devicereceive each challenge d coming from the signing device through theinterconnection means. The means for computing the responses D of thewitness device compute the responses D from the challenges d by applyingthe process specified above. The witness device comprises transmissionmeans, hereinafter called means of transmission of the witness device,to transmit the responses D to the signing device, through theinterconnection means.

Checking Operation:

To prove the authenticity of the message M, an entity known as thecontroller checks the signed message.

Said system comprises a controller device associated with the controllerentity. Said controller device especially takes the form of a terminalor remote server. Said controller device comprises connection means forits electrical, electromagnetic, optical or acoustic connection,especially through a computer communications network, to the signingdevice.

Said signing device associated with the signing entity comprisestransmission means, hereinafter known as the transmission means of thesigning device, for the transmission, to the controller device, of thesigned message through the connection means. Thus the controller devicehas a signed message comprising:

the message M,

the challenges d and/or the commitments R.

the responses D.

The controller device comprises:

computation means hereinafter called the computation means of thecontroller device,

comparison means, hereinafter called the comparison means of thecontroller device.

Case Where the Controller Device has Commitments R, Challenges d,Responses D

If the controller device has commitments R, challenges d, responses D,the computation and comparison means of the controller device ascertainthat the commitments R, the challenges d and the responses D satisfyrelationships of the typeR≡G ₁ ^(d1) .G ₂ ^(d2) .G _(m) ^(dm) . D ^(v) mod n

or relationships of the type:R≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n.

Then, the computation and comparison means of the controller deviceascertain that the message M, the challenges d and the commitments Rsatisfy the hashing function:d=h(message, R)

Case Where the Controller Device has Challenges d and Responses D

If the controller has challenges d and responses D, the computationmeans of the controller reconstruct, on the basis of each challenge dand each response D, commitments R′ satisfying relationships of the typeR′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod nor relationships of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) .G _(m) ^(dm) mod n.

Then the computation and comparison means of the controller deviceascertain that the message M and the challenges d satisfy the hashingfunction:d=h(message, R′)

Case Where the Controller has Commitments R and Responses D

If the controller device has commitments R and responses D, thecomputation means of the controller device apply the hashing functionand compute d′ such that:d′≡h(message, R)

Then the computation and comparison means of the controller deviceascertain that the commitments R, the challenges d′ and the responses Dsatisfy relationships of the type:R≡G ₁ ^(d′1) .G ₂ ^(d′2) . . . . G _(m) ^(d′m) .D ^(v) mod nor relationships of the type:R≡D ^(v) /G ₁ ^(d′1) .G ₂ ^(d′2) . . . . G _(m) ^(d′m) mod n.Terminal Device

The invention also relates to a terminal device associated with anentity. The terminal device especially takes the form of a nomad object,for example the form of a microprocessor in a microprocessor-based bankcard, The terminal device is designed to prove the following to acontroller device:

the authenticity of an entity and/or

the integrity of a message M associated with this entity.

This proof is established by means of all or part of the followingparameters or derivatives of these parameters:

m pairs of private values Q₁, Q₂, . . . Q_(m) and public values G₁, G₂,. . . G_(m) (m being greater than or equal to 1),

a public module n constituted by the product of f prime factors p₁, p₂,. . . p_(f) (f being greater than or equal to 2).

Said module and said private and public values are related byrelationships of the typeG_(i) ·Q _(i) ^(v)≡1 mod n or G _(i) ≡Q _(i) ^(v) mod nv designating a public exponent of the typev=2^(k)where k is a security parameter greater than 1.

Said m public values G_(i) are the squares g_(i) ² of m distinct basenumbers g₁,g₂, . . . g_(m) inferior to the f prime factors p₁, p₂, . . .p_(f); said f prime factors p₁, p₂, . . . p_(f) and/or said m basenumbers g₁,g₂, g_(m) being produced such that the following conditionsare satisfied.

First Condition

According to the first condition, each of the equations:x ^(v) ≡g ₁ ² mod n  (1)

can be solved in x in the ring of integers modulo n.

Second Condition

According to the second condition, in the case where G₁≡Q_(i) ^(v) modn, among the m numbers q_(i) obtained by raising Q_(i) to the squaremodulo n, k−1 times, one of them is different from ±g_(i) (that is tosay non trivial).

According to the second condition, in the case where G_(i). Q_(i) ^(v)≡1mod n, among the m numbers q_(i) obtained by raising the inverse ofQ_(i) modulo n to the square modulo n, k−1 times, one of them isdifferent from ±g_(i) (that is to say non trivial).

It is pointed out here that according to a current notation ±g_(i)represents the numbers g_(i) and n−g_(i).

Third Condition:

According to the third condition, among the 2 m equations:x ² ≡g _(i) mod n  (2)x ² ≡g _(i) mod n  (3)

at least one of them can be solved in x in the ring of integers modulon.

Said terminal device comprises a witness device comprising a memory zonecontaining the f prime factors p_(i) and/or the parameters of theChinese remainders of the prime factors and/or the public modulus nand/or the m private values Q_(i) and/or f.m components Q_(i,j)(Q_(i,j)=Q_(j)mod p_(j)) of the private values Q_(i) and of the publicexponent v.

The witness device also comprises:

random value production means hereinafter called random value productionmeans of the witness device,

computation means, hereinafter called means for the computation ofcommitments R of the witness device in the ring of the integers modulon.

Each commitment is computed

either by performing operations of the type:R≡r ^(v) mod n

where r is a random value produced by the random value production means,r being such that 0<r<n.

or by performing operations of the type:R_(i) ≡r _(i) ^(v) mod p_(i)

where r_(i) is a random value associated with the prime number p_(i)such that 0<r_(i)<p_(i), each r_(i) belonging to a collection of randomvalues {r₁, r₂, . . . r_(f)} produced by the random value productionmeans, then by applying the Chinese remainder method.

The witness device also comprises:

reception means hereinafter called the means for the reception of thechallenges d of the witness device, to receive one or more challenges d,each challenge d comprising m integers d_(i) hereinafter calledelementary challenges;

computation means, hereinafter called means for the computation of theresponses D of the witness device, for the computation, on the basis ofeach challenge d, of a response D,

either by performing operations of the type:D≡r.Q ₁ ^(d1) .Q ₂ ^(d2) . . . . Q _(m) ^(dm) mod n

or by performing operations of the type:D≡r _(i) .Q _(i,1) ^(d1) .Q _(i,2) ^(d2) . . . . Q _(i,m) ^(dm) mod p_(i)

and then by applying the Chinese remainder method.

Said witness device also comprises transmission means to transmit one ormore commitments R and one or more responses D. There are as manyresponses D as there are challenges d as there are commitments R. Eachgroup of numbers R, d, D forms a triplet referenced {R, d, D}.

Case of the Proof of the Authenticity of an Entity

In a first embodiment variant, the terminal device according to theinvention is designed to prove the authenticity of an entity called ademonstrator to an entity called a controller.

Said terminal device is such that it comprises a demonstrator deviceassociated with a demonstrator entity. Said demonstrator device isinterconnected with the witness device by interconnection means. It mayespecially take the form of logic microcircuits in a nomad object, forexample the form of a microprocessor in a microprocessor-based bankcard.

Said demonstrator device also comprises connection means for itselectrical, electromagnetic, optical or acoustic connection, especiallythrough a data-processing communications network, to the controllerdevice associated with the controller entity. Said controller deviceespecially takes the form of a terminal or remote server.

Said terminal device is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above.

The witness device has means of transmission, hereinafter calledtransmission means of the witness device, to transmit all or part ofeach commitment R to the demonstrator device through the interconnectionmeans. The demonstrator device also has transmission means, hereinaftercalled the transmission means of the demonstrator, to transmit all orpart of each commitment R to the controller device, through theconnection means

Steps 2 and 3: Act of Challenge d, Act of Response D

The means of reception of the challenges d of the witness device receiveeach challenge d coming from the controller device through theconnection means between the controller device and the demonstratordevice and through the interconnection means between the demonstratordevice and the witness device. The means of computation of the responsesD of the witness device compute the responses D from the challenges d byapplying the process specified above.

Step 4: Act of Checking

The transmission means of the demonstrator transmit each response D tothe controller device that carries out the check.

Case of the Proof of the Integrity of a Message

In a second embodiment variant capable of being combined with the firstembodiment, the terminal device according to the invention is designedto give proof to a n entity, known as a controller, of the integrity ofa message M associated with an entity known as a demonstrator. Saidterminal device is such that it comprises a demonstrator deviceassociated with the demonstrator entity, said demonstrator device beinginterconnected with the witness device by interconnection means. It mayespecially take the form of logic microcircuits in a nomad object, forexample the form of a microprocessor in a microprocessor-based bankcard. Said demonstrator device comprises connection means for itselectrical, electromagnetic, optical or acoustic connection, especiallythrough a data-processing communications network, to the controllerdevice associated with the controller entity. Said controller deviceespecially takes the form of a terminal or remote server.

Said terminal device is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above. The witness device has means of transmission,hereinafter called the transmission means of the witness device, totransmit all or part of each commitment R to the demonstrator devicethrough the interconnection means.

Steps 2 and 3: Act of Challenge d, Act of Response D

The demonstrator device comprises computation means, hereinafter calledthe computation means of the demonstrator, applying a hashing function hwhose arguments are the message M and all or part of each commitment R,to compute at least one token T. The demonstrator device also hastransmission means, hereinafter known as the transmission means of thedemonstrator device, to transmit each token T, through the connectionmeans, to the controller device.

Said controller device, after having received the token T, produceschallenges d in a number equal to the number of commitments R

The means of reception of the challenges d of the witness device receiveeach challenge d coming from the controller device through theinterconnection means between the controller device and the demonstratordevice and through the interconnection means between the demonstratordevice and the witness device. The means of computation of the responsesD of the witness device compute the responses D from the challenges d byapplying the process specified above.

Step 4: Act of Checking

The transmission means of the demonstrator send each response D to thecontroller device which performs the check.

Digital Signature of a Message and Proof of its Authenticity

In a third embodiment variant, capable of being combined with either oneof the first two, the terminal device according to the invention isdesigned to produce the digital signature of a message M, hereinafterknown as the signed message, by an entity called a signing entity.

The signed message comprises:

the message M,

the challenges d and/or the commitments R,

the responses D.

Said terminal device is such that it comprises a signing deviceassociated with the signing entity. Said signing device isinterconnected with the witness device by interconnection means. It mayespecially take the form of logic microcircuits in a nomad object, foxexample the form of a microprocessor in a microprocessor-based bankcard. Said signing device comprises connection means for its electrical,electromagnetic, optical or acoustic connection, especially through adata-processing communications network, to the controller deviceassociated with the controller entity. Said controller device especiallytakes the form of a terminal or remote server.

Signing Operation:

Said terminal device is used to execute the following steps:

Step 1: Act of Commitment R

At each call, the means of computation of the commitments R of thewitness device compute each commitment R by applying the processspecified above. The witness device comprises means of transmission,hereinafter called the transmission means of the witness device, totransmit all or part of each commitment R to the signing device throughthe interconnection means.

Step 2: Act of Challenge d

The signing device comprises computation means, hereinafter called thecomputation means of the signing device, applying a hashing function hwhose arguments are the message M and all or part of each commitment R,to compute a binary train and extract, from this binary train,challenges d whose number is equal to the number of commitments R.

Step 3: Act of Response D

The means for the reception of the challenges d receive each challenge dcoming from the signing device through the interconnection means. Themeans for computing the responses D of the witness device compute theresponses D from the challenges d by applying the process specifiedabove. The witness device comprises transmission means, hereinaftercalled means of transmission of the witness device, to transmit theresponses D to the signing device, through the interconnection means.

Controller Device

The invention also relates to a controller device. The controller devicemay especially take the form of a terminal or remote server associatedwith a controller entity. The controller device is designed to check:

the authenticity of an entity and/or

the integrity of a message M associated with this entity.

This proof is established by means of all or part of the followingparameters or derivatives of these parameters:

m pairs of public values G₁, G₂, . . . G_(m) (m being greater than orequal to 1),

a public modulus n constituted by the product of f prime factors p₁, p₂,. . . p_(f) (f being greater than or equal to 2), unknown to thecontroller device and the associated controller entity.

Said modulus and said private and public values are related byrelationships of the typeG _(i) .Q _(i) ^(v)≡1.mod n or G _(i) ≡Q _(i) ^(v) mod ^(n)

v designating a public exponent of the type:v=2^(k)

where k is a security parameter greater than 1.

Said m public values G_(i) being the squares g_(i) ² of m distinct basenumbers g₁,g₂, . . . g_(m) inferior to the f prime factors p₁, p₂, . . .p_(f); said f prime factors p₁, p₂, . . . p_(f) and/or said m basenumbers g₁,g₂, . . . g_(m) being produced such that the followingconditions are satisfied.

First Condition

According to the first condition, each of the equations:x^(v) ≡g _(i) ² mod n  (1)

can be solved in x in the ring of integers modulo n.

Second Condition

According to the second condition, in the case where G_(i)≡Q_(i)^(v).mod n, among the m numbers q_(i) obtained by raising Q_(i) to thesquare modulo n, k−1 rank times, one of them is different from ±g_(i)(that is to say non trivial).

According to the second condition, in the case where G_(i).Q_(i) ^(v)≡1mod n, among the m numbers q_(i) obtained by raising the inverse ofQ_(i) modulo n to the square modulo n, k−1 rank times, one of them isdifferent from ±g_(i) (that is to say non trivial).

It is pointed out here that according to a current notation ±g_(i)represents the numbers g_(i) and n−g_(i).

Third Condition

According to the third condition, among the 2 m equations:x ² =g _(i) mod n  (2)x ² =g _(i) mod n  (3)

at least one of them can be solved in x in the ring of integers modulon.

Case of the Proof of the Authenticity of an Entity

In a first embodiment variant, the controller device according to theinvention is designed to prove the authenticity of an entity called ademonstrator and an entity called a controller.

Said controller device comprises connection means for its electrical,electromagnetic, optical or acoustic connection, especially through adata-processing communications network, to a demonstrator deviceassociated with the demonstrator entity.

Said controller device is used to execute the following steps:

Steps 1 and 2: Act of Commitment R, Act of Challenge d

Said controller device also has means for the reception of all or partof the commitments R coming from the demonstrator device through theconnection means.

The controller device comprises challenge production means for theproduction, after receiving all or part of each commitment R, of thechallenges d in a number equal to the number of commitments R, eachchallenge d comprising m integers d_(i) hereinafter called elementarychallenges.

The controller device also comprises transmission means, hereinaftercalled transmission means of the controller, to transmit the challengesd to the demonstrator through the connection means.

Steps 3 and 4: Act of Response D, Act of Checking

The controller device also comprises:

means for the reception of the responses D coming from the demonstratordevice, through the connection means,

computation means, hereinafter called the computation means of thecontroller device,

comparison means, hereinafter called the comparison means of thecontroller device.

First Case: the Demonstrator has Transmitted a Part of Each CommitmentR.

If the reception means of the controller device have received a part ofeach commitment R, the computation means of the controller device,having m public values G₁, G₂, . . . G_(m), compute a reconstructedcommitment R′, from each challenge d and each response D, thisreconstructed commitment R′ satisfying a relationship of the type:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) _(mod) nor a relationship of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) _(mod) n.

The comparison means of the controller device compare each reconstructedcommitment R′ with all or part of each commitment R received.

Second Case: the Demonstrator has Transmitted the Totality of EachCommitment R

If the reception means of the controller device have received thetotality of each commitment R, the computation means and the comparisonmeans of the controller device, having m public values G₁, G₂, . . .G_(m), ascertain that each commitment R satisfies a relationship of thetype:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm).D^(v) mod n

or a relationship of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n.Case of the Proof of the Integrity of a Message

In a second embodiment variant capable of being combined with the first,the controller device according to the invention is designed to provethe integrity of a message M associated with an entity known as ademonstrator.

Said controller device comprises connection means for its electrical,electromagnetic, optical or acoustic connection, especially through adata-processing communications network, to a demonstrator deviceassociated with the demonstrator entity.

Said controller device is used to execute the following steps:

Steps 1 and 2: Act of Commitment R, Act of Challenge d

Said controller device has means for the reception of tokens T comingfrom the demonstrator device through the connection means. Thecontroller device has challenge production means for the production,after having received the token T, of challenges d in a number equal tothe number of commitments R, each challenge d comprising m integersd_(i) hereinafter called elementary challenges. The controller devicealso has transmission means, hereinafter called the transmission meansof the controller, to transmit the challenges d to the demonstratorthrough the connection means.

Steps 3 and 4: Act of Response D, Act of Checking

Said controller device also comprises means for the reception of theresponses D coming from the demonstrator device, through the connectionmeans. Said controller device also comprises computation means,hereinafter called the computation means of the controller device,having m public values G₁, G₂, . . . G_(m), to first of all compute areconstructed commitment R′, from each challenge d and each response D,this reconstructed commitment R′ satisfying a relationship of the type:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod n

or a relationship of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n

and then, secondly, to compute a token T′ by applying a hashing functionh having as arguments the message M and all or part of eachreconstructed commitment R′.

The controller device also has comparison means, hereinafter called thecomparison means of the controller device to compare the computed tokenT′ with the received token T.

Digital Signature of a Message and Proof of its Authenticity

In a third embodiment variant, capable of being combined with either oneor the other of the first two embodiments, the controller deviceaccording to the invention is designed to prove the authenticity of themessage M by checking a signed message by means of an entity called acontroller.

The signed message, sent by a signing device associated with a signingentity having a hashing function h (message, R) comprises:

the message M,

the challenges d and/or the commitments R,

the responses D.

Checking Operation

Said controller device comprises connection means for its electrical,electromagnetic, optical or acoustic connection, especially through adata-processing communications network, to a signing device associatedwith the signing entity. Said controller device receives the signedmessage from the signing device, through the connection means.

The controller device comprises:

computation means, hereinafter called the computation means of thecontroller device,

comparison means, hereinafter called the comparison means of thecontroller device.

Case Where the Controller Device has Commitments R, Challenges d,Responses D:

If the controller device has commitments R, challenges d, responses D,the computation and comparison means of the controller device ascertainthat the commitments R, the challenges d and the responses D satisfyrelationships of the typeR≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod nor relationships of the type:R≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n.

Then the computation and comparison means of the controller deviceascertain that the message M, the challenges d and the commitments Rsatisfy the hashing function:d=h(message, R)

Case Where the Controller Device has Challenges d and Responses D:

If the controller device has challenges d and responses D, thecomputation means of the controller device can, on the basis of eachchallenge d and each response D, compute commitments R′ satisfyingrelationships of the type:R′≡G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) .D ^(v) mod n

or relationships of the type:R′≡D ^(v) /G ₁ ^(d1) .G ₂ ^(d2) . . . . G _(m) ^(dm) mod n

and then the computation and comparison means of the controller deviceascertain that the message M and the challenges d satisfy the hashingfunctiond=h(message, R′)

Case Where the Controller Device h a s Commitments R and Responses D:

If the controller device has commitments R and responses D, thecomputation means of the controller device apply the hashing functionand compute d′ such thatd′=h(message, R)

and then the computation and comparison means of the controller deviceascertain that the commitments R, the challenges d′ and the responses Dsatisfy relationships of the typeR≡G ₁ ^(d′1) .G ₂ ^(d′2) .G _(m) ^(d′m) .D ^(v) mod n

or relationships of the type:R≡D ^(v) /G ₁ ^(d′1) .G ₂ ^(d′2) .G _(m) ^(d′m mod) n.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A–1D, 2A, 2B, 3A and 3B are graphs useful in explaining thepresent invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The goals of the GQ methods are the dynamic authentication of entitiesand messages together with the digital signature of messages. These aremethods “without transfer of knowledge”. An entity proves that it knowsone or several private numbers. Another entity checks; it knows thecorresponding public number or numbers. The proving entity wants toconvince the checking entity without revealing the private number ornumbers, in such a way as to be able to use them as many times asneeded.

Each GQ method depends on a public modulus composed of secret high primenumbers. A public exponent v and a public modulus n together form averification key <v,n> meaning “raise to the power v modulo n” andimplement by means of one or several generic equations, all of the sametype, direct: G≡Q^(v)(mod n) or inverse G×Q^(v)≡1(mod n). The type hasan effect on the operation of the calculations within the checkingentity, but not within the proving entity; in fact, the securityanalyses confound the two types. Each generic equation linked to apublic number G and a private number Q together form a pair of numbers{G,Q}. To resume, each GQ method implements one or several pairs ofnumbers {G,Q} for the same key <v,n>.

A classic version of the GQ method, here called GQ1, uses an RSA digitalsignature mechanism. The verification key <v,n> is then an RSA publickey where the odd exponent v is preferably a prime number. Each GQ1method in general uses a single pair of numbers {G,Q}: the public numberG is deduced from identification data according to a format mechanismwhich is an integral part of the RSA digital signature technology. Theprivate number Q or its inverse modulo n is an RSA signature foridentification data. The proving entity shows its knowledge of an RSAsignature of its own identification data and this proof does not revealthe signature which therefore remains secret, to be used as many timesas needed.

The GQ1 methods generally implement two levels of keys: the RSA privatesigning key is reserved for an authority accrediting entitiesdistinguishing themselves one from the other by identification data.Such a mechanism is said to be “identity based”. Thus, an emitter ofchip cards uses his RSA private key for the emission of each card tocalculate a private number Q which is inscribed as diversified privatekey in the card; or furthermore, a client on a network of computers useshis RSA private key when entering each session to calculate a privatenumber Q which will be the ephemeral private key of the client duringthe session. The proving entities, chip cards or clients in session,know an RSA signature of their identification data; they do not know theRSA private key which, in the key hierarchy, is at the next higherlevel. Nonetheless, dynamic authentication of entities by GQ1 with amodulus of 768 bits at the level of an authority requires almost thesame work load as a dynamic authentication of entities by RSA with amodulus of 512 bits with three prime factors at the level of eachentity, which allows the proving entity to use the Chinese remaindertechnique by calculating a modulo result for each of the prime factorsbefore calculating a modulo result for their product.

However, the hierarchy of keys between an authority and the accreditedentities is not obligatory. One can use GQ1 with a module belonging tothe proving entity, which makes it possible to use the Chinese remaindertechnique to reduce the work loads of the proving entity, which does notchange the work load of the checking entity fundamentally, apart fromthe fact that a modulus at the level of the proving entity can beshorter than a modulus at the level of the authority, for example 512bits in comparison with 768 bits.

When the entity knows the prime factors of its own modulus, why call onan RSA digital signature mechanism??

Another version of GQ methods, here called elementary GQ2, treatsdirectly the problem of factorization of a modulus n. In this context,“directly” means “without calling for the RSA signature”. The aim of GQ2is to reduce work loads, not only of the proving entity but also of thechecking entity. The proving entity demonstrates knowledge of abreakdown of its own modulus and this proof does not reveal thebreakdown which therefore remains secret, so as to be able to be used asoften as needed. The security of the GQ2 protocol is equivalent tofactorization of the module.

Each proving entity has its own modulus n. Each GQ2 mechanism implementsa parameter k, a small number greater than 1 fixing a public exponentv=2^(k), and one or several pairs of numbers {G₁,Q₁} to {G_(m),Q_(m)}.Each public number G_(i) is the square of a small number g_(i) greaterthan 1 and called a “base number”. All the proving entities can use thesame public number or numbers G₁ to G_(m). The factorization of themodulus n and the private number or numbers Q₁ to Q_(m) are then at thesame level in the key hierarchy. Each set of elementary GQ2 keys isdefined by two necessary and sufficient conditions:

for each base number, neither of the two equations x²≡±g_(i)(mod n) doesnot have a solution in x in the ring of integers modulo n, that is tosay that the numbers ±g_(i) are two non-quadratic residues modulo n.

for each base number, the equation x^(v)≡g_(i) ²(mod n) where v=2^(k)has solutions in x in the ring of integers modulo n. The private numberQi or its inverse modulo n is any one of these solutions.

Taking into account the second condition, in order that the numbers±g_(i) are two non-quadratic residues modulo n, the modulus n mustcomprise at least two prime factors congruent to 3 (mod 4) relative towhich the Legendre symbol of g_(i) differs. Consequently, any moduluscomposed of prime factors of which none or a single one is congruent to3 (mod 4) does not allow a set of elementary GQ2 keys to be established,which privileges the prime factors congruent to 3 (mod 4). Thus, bytaking high prime numbers at random, it appears that only half arecongruent to 3 (mod 4) and half to 1 (mod 4). As a result, many RSAmodels in use cannot establish a set of elementary GQ2 keys.

Here we introduce the sets of generalised GQ2 keys to overcome thislimitation in order to be able to use GQ2 technology with any moduluswhatsoever, and in particular with any RSA modulus whatsoever: theydepend on two necessary and sufficient principles.

The first principle reproduces the second elementary GQ2 condition:

For each base number g₁ to g_(m), the equation x^(v)≡g_(i) ² (mod n)where v=2^(k) has solutions in x in the ring of integers modulo n.

Because the private number Q or its inverse modulo n is a solution tothe equation, successive squares k−1 modulo n transform it into a numberq_(i) which is a square root of G_(i) in the ring of integers modulo n.Depending on whether the number q_(i) is equal to one of the two numbersg_(i) or n−g_(i), or different from the two numbers g_(i) and n−g_(i),it is said that it is trivial or not. When a number q_(i) is nontrivial, n which divides q_(i) ²−g_(i) ² does not divide eitherq_(i)−g_(i) or q^(i)+g_(i). Any non trivial number q thus reveals abreakdown of the modulus n.n=pgcd(n,q _(i) −g _(i))xpgcd(n,q _(i) +g _(i))

The second principle widens the first elementary GQ2 condition:

among the numbers q₁ to q_(m), at least one number q_(i) is non trivial.

It is to be noted that if a number q+ exists while the numbers ±g_(i)are two non-quadratic residues in the ring of integers modulo n, thenumber q_(i) is manifestly non trivial. Thus, the set of elementary GQ2keys are certainly part of the set of generalised GQ2 keys which make itpossible to use any modulus whatsoever, that is to say any compositionof high prime numbers indifferently congruent to 3 or to 1 (mod 4) atleast two of which are distinct. On the other hand, many sets ofgeneralised GQ2 keys are not sets of elementary GQ2 keys. Each set ofgeneralised GQ2 keys is in accordance with one of the following cases:

when the 2×m numbers ±g₁ to ±g_(m) are all non-quadratic residues, thisis a set of elementary GQ2 keys.

when among the 2×m numbers ±g₁ to ±g_(m), there is at least onequadratic residue, this is not a set of elementary GQ2 keys, it is whatis known here as a set of complementary GQ2 keys.

The present invention relates to the sets of complementary GQ2 keys, bydefinition these sets of generalised GQ2 keys not being elementary.Besides the two preceding principles, such a set must satisfy a thirdprinciple.

among the 2×m numbers ±g₁ to ±g_(m), there is at least one quadraticresidue.

In order to assess the problem and understand the solution we provide,that is to say the invention, let us first of all analyse the breakdownof the modulus n revealed by a non trivial number q, and then recall theChinese remainder technique, and then the notion of rank in a Galoisfield CG(p); and next, study the functions “raise to the square” inCG(p) and “take a square root” of a quadratic residue in CG(p); andfinally, analyse the applicability of the three principles stated above.

Analysis of the Breakdowns of the Module:

Just as the modulus n is broken down into f prime factors p_(i) top_(f), the ring of integers modulo n is broken down into f Galois fieldsCG(p₁) to CG(p_(f)). In each field, there are two unit square roots,that is ±1. In the ring, there are thus 2^(f) unit square roots. Eachprivate number Q_(i) to Q_(m) defines a number Δ_(i)=q_(i)/g_(i) (mod n)which is one of these 2^(f) unit square roots in the ring; in otherwords, n divides Δi²−1.

when q_(i) is trivial, that is to say Δ_(i)=±1, n divides Δ_(i)−1, orΔ_(i)+1 and therefore Δ_(i) does not reveal the breakdown of the modulusn.

when q_(i) is non trivial, that is to say Δ_(i)Δ±1, n does not divideeither Δ_(i)−1 or Δ_(i)+1 and thus Δ reveals a breakdown, n=pgcd(n,Δ_(i)−1)xpgcd(n, Δ_(i)+1), resulting from the value of Δ_(i) in eachfield: the prime factor or factors dividing Δ_(i)−1 on the one hand,this or these dividing Δ_(i)+1 on the other.

Examination of the rules of multiplicative composition of the numbers q.Two numbers {q₁,q₂} give a composite number q₁×q₂(mod n).

when q₁ is non trivial and q₂ is trivial, the composite number q₁×q₂(modn) is non trivial; it reveals the same breakdown as q₁.

when q₁ and q₂ are non trivial and Δ₁=±Δ₂ The composite number q₁×q₂(modn) is trivial; it does not reveal any breakdown.

when q₁ and q₂ are non trivial and Δ1 ≠±Δ2, the composite numberq₁×q₂(mod n) is non trivial; it reveals a third breakdown.

Three numbers {q₁,q₂,q₃} give four composite numbers {q₁×q₂, q₁×q₃,q₂×q₃, q₁×q₂×q₃(mod n)}, that is a total of seven numbers; m numbersthus provide 2^(m)−m−1 composite numbers, that is a total of 2^(m)−1numbers.

We shall now consider a set of generalised GQ2 keys comprising i basenumbers g₁ to g_(i) and i private numbers Q₁ to Q_(i) giving i numbersq₁ to q_(i) and therefore i numbers Δ₁ to Δ_(i) which are the unitroots. Let us try to take into account another base number g_(i+1) by aprivate number Q_(i+1) giving a number q_(i+1) and thus a root Δ_(i+1).

The total of the 2^(i+1)−1 numbers comprises as many non trivial numbersin each of the following cases.

the root Δi+1 is trivial and at least one root Δ1 to Δ_(i) is nontrivial.

The root Δ_(i+1) is non trivial and figures among the 2×i roots ±Δ₁ and±Δ_(i).

In the case where the root Δi+1 is non trivial and does not figure amongthe 2×i roots ±Δ₁ to ±Δ_(i), each composite number where q_(i+1) figuresis non trivial.

Consequently, when among the m numbers q₁ to q_(m), at least one is nontrivial, more than half the total of the 2^(m)−1 numbers are nontrivial.

By definition, it is said that l<f non trivial numbers {q₁,q₂, . . .q_(l)} are independent relative to the modulus n when each of the2^(l)-l−1 corresponding composite numbers is non trivial, that is to saythat, in total, the 2^(l)−1 numbers are all non trivial. Each of these2^(l)−1 numbers thus reveals a different breakdown of the modulus n.

When the f prime factors are distinct, there are 2^(f-1)−1 breakdowns ofthe modulus n. Thus, if f−1 numbers q are independent, there is abi-univocal correspondence between the 2^(f-1)−1 breakdowns and a totalof 2^(f-1)−1 numbers comprising the f−1 independent numbers and the2^(f-1)−f corresponding composite numbers.

Chinese Remainders

Either two numbers a and b, prime numbers between themselves such as0<a<b, and two numbers X_(a) from 0 to a−1 and X_(b) from 0 to b−1; itconcerns the determination of the unique number X from 0 to axb−1 suchthat X_(a)≡X(mod a) and X_(b)≡X(mod b). The number x≡{b(mod a)}⁻¹(mod a)is the Chinese remainders parameter. The elementary Chinese remaindersoperation is given below:

x≡X_(b)(mod a)

y=X_(a)−x; if y is negative, replace y by y+a

z≡áxy(mod a)

X=zxb+X_(b)

To resume, one writes: X=Chinese Remainders (X_(a),X_(b)).

When f prime factors are arranged in increasing order, from the smallestp₁ to the biggest p_(f), the Chinese remainder parameters can be thefollowing (there is one less than the prime factors, that is to sayf−1).

The first parameter is x≡(p₂(mod p₁))⁻¹(mod p₁).

The second parameter is β≡(p₁×p₂(mod p₃))⁻¹(mod p₃).

The i-th parameter is λ≡(p₁× . . . p_(i−1)(mod p_(i)))⁻¹(mod p_(i)).

And so on.

In f−1 elementary operations, one establishes a number X from 0 to n−1starting from any set of f components from X₁ to X_(f) with X_(j) from 0to p_(j)−1:

a first result (mod p₁×p₂) with the first parameter,

then a second result (mod p₁×p₂×p₃) with the second parameter,

until the final result (mod n=p₁×p₂× . . . p_(f)) with the lastparameter.

To resume, given the prime factors p₁ to p_(f), each element of the ringof integers modulo n has two equivalent representations:

f numbers X₁ to X_(f), a prime factor component: X_(j)≡X(mod p_(j)),

a number X from 0 to n−1, X=Chinese remainders (X₁,X₂, . . . X_(f)).

Rank of numbers in CG(p)—Let p be an odd prime number and a a numbersmaller than p i.e. 0<a<p. By definition, the rank of a with respect top is the period of the sequence {X} defined by {x_(i)=a; then, for i≧1,x_(i+1)≡a×x_(i)(mod p)}. By applying the Fermat theorem we obtain:x_(i+p)≡a^(p)×x_(i)≡a×x_(i)≡x_(i+1)(mod p). Therefore, the rank of anumber a with respect to a prime number p is p−1 or a divider of p−1.

For example, when (p−1)/2 is an odd prime number p′, the Galois fieldCG(p) includes a number of rank 1: this is 1, a number of rank 2: thisis −1, p′−1 numbers of rank p′ and p′−1 numbers of rank 2×p′=p−1. InCG(p), any number of rank p−1 is a “generator”. The name is due to thefact that the successive powers of a generator in CG(p), i.e. the termsof the sequence {X} for indices from 1 to p′−1, form a permutation ofall the non-zero elements of CG(p).

Let y be a generator of CG(p). Let us evaluate the rank of the number y′(mod y) according to i and p−1. When i is prime with p−1, this is p−1.When i divides p−1 this is (p−1)/i. In all cases, this is(p−1)/lgcd(p−1,i) (lgcd=largest common divisor).

By definition, Euler's function φ(n) is the number of numbers smallerthan n and prime with n. In CG(p), there are φ(p−1)generators.

As an illustration, understanding the bases of the RSA is facilitatedwith the rank. Module n is the product of f prime factors p−1 to p−f,with f≧2. For each prime factor p_(i) from p₁ to p_(f) the publicexponent e should be prime with p_(j)−1. Now, key <e,p_(j)> observes therank of the elements of CG(p_(j)): it permutates the elements ofCG(p_(j)); there exists a number d_(j), generally as small as possible,such that p⁻¹ divides e×d_(j−1). The key <d_(j), p_(j)> inverts thepermutation of the elements of CG(p_(j)). These f permutations, one ineach field CG(p₁) to CG(p_(f)), are expressed in the ring of integersmodulo n by the RSA permutation summarized by the public key <e, n>.There exists a number d, generally as small as possible, such that thesmallest common multiple (scm) of (P₁₋, P²⁻¹, . . . p_(f−1)) dividesd×e−1. For each prime factor p_(j) from p₁ to p_(f), we have d_(j)≡d(mod p_(j-1)). The RSA permutation summarized by the public key <e, n>is inverted by the private key <d, n>.

Squares in CG(p)—Let us define a number t such that p−1 is dividable by2^(t), but not by 2^(t−1). Each large prime number appears in one andonly one category: t=1, t=2, t=3, t=4, and so forth. If a sufficientlylarge number of successive prime numbers are considered, about one outof two appears in the first category where p is congruent to 3 (mod 4),one out of four in the second one, where p is congruent to 5 (mod 8),one out of height in the third one, where p is congruent to 9 (mod 16),one out of sixteen in the fourth one, where p is congruent to 17 (mod32), and so forth; on the average, one out of 2^(t) appears in the nthcategory where p is congruent to 2^(t+1) (mod 2^(t+1)).

Because numbers x and p−x have the same square in CG(p), key <2,p> doesnot permutate CG(p). The function “take the square” in CG(p) may berepresented by an orientated graph wherein each non-zero element of thefield finds its place. Let us analyze the structure of the graph intobranches and cycles according to the parity of the rank of each element.

The zero element is set. This is 0. Rank is not defined for the zeroelement to which no other element is related; the zero element isisolated.

The unit element is set. This is 1, the only element of rank 1. All theroots of unity in CG(p) are located in the branch related to 1. Let y bea non-quadratic residue of CG(p), any residue; key <p−1)2^(t), p>transforms y into a primitive 2^(t−1)th root of −1 referenced as b;indeed, we have y^((p-1)/2)≡−1(mod p). Therefore, in CG(p), the powersof b for exponents from 1 to 2^(t−1), are the 2^(t−1) roots of unityother than 1: they make up the branch related to 1.

The square of any element of even rank is another element the rank ofwhich is divided by two. Therefore, each element of even rank is placedin a branch; each branch includes a rank number dividable by two, butnot by four, next, if t≧2, two rank numbers dividable by four but not byeight, next, if t≧3, four rank numbers dividable by eight but not bysixteen, next, if t≧4, eight rank numbers dividable by sixteen but notby 32, and so forth. All the branches are similar to the branch relatedto 1; the 2^(t−1) leaves of each branch are non-quadratic residues; eachbranch includes 2^(t−1) elements and is related to an element of oddrank; there are (p−1)/2^(t) branches which are all of the same length t.

The square of any element of odd rank other than the unit element isanother element having the same rank. Key <2,p> permutates the set of(p−1)/2^(t) elements of odd rank. The permutation is factorized intopermutation cycles. The number of cycles depends on the factorization of(p−1)2^(t). For each divider p′ of (p−1)/2^(t), there is a cycleincluding the φ(p′) elements of rank p′. Let us recall that bydefinition, Euler's function φ(p′) is the number of numbers smaller thanp′ and prime with p′. For example, when p′ equals (p−1)/2^(t), is prime,the p′−1 numbers of rank p′ form a large permutation cycle.

FIGS. 1A–1D each illustrate a graph fragment for p congruent to 3 (mod4), 5 (mod 8), 9 (mod 6) and 17 (mod 32), respectively.

The leaves on the branches are illustrated by white circles; these arenon-quadratic residues.

The nodes in the branches are illustrated by grey circles; these arequadratic elements of even rank.

The nodes in the cycles are illustrated as black circles; these arequadratic elements of even rank.

Square roots in CG(p)—Knowing that a is a quadratic residue of CG(p),let us see how to calculate a solution to the equation x²≡a (mod p) i.e.“take a square root” in CG(p). Of course, there are many ways forobtaining the same results; pages 31–36 of the book of Henri Cohen, aCourse in Computation Algebraic Number Theory, published in 1993 bySpringer in Berlin as volume 138 of the Graduate Texts in Mathematicsseries (GTM 138), may be consulted.

The number s=(p−1+2^(t))/2^(t+1) provides a key <s, p>) which is:

<(p+1)/4, p> when p is congruent to 3 (mod 4),

<(p+3)/8, p> when p is congruent to 5 (mod 8),

<(p+7)/16, p> when p is congruent to 9 (mod 16),

<(p+15)/32, p> when p is congruent to 17 (mod 32), and so forth.

Key <s, p> transforms any element of a cycle into the previous elementin the cycle. When a is of even rank, it is the solution of odd rank, wename it w. Indeed, in CG(p), w²/a is equal to a to the power of(2×(p−1+2^(t))/<2^(t+1))−1=(p−1)/2^(t). The other solution is of evenrank; this is p−w.

Generally, the key <s, p> transforms any quadratic residue a in a firstapproximation, into a solution which we name r. As a is a quadraticresidue, the key <2^(t−1), p> certainly transforms r²/a into 1. Toapproach a square root of a, let us take the power 2^(t−2) of r²/a (modp) in order to obtain +1 or −1. The new approximation remains r if theresult is +1 or else it becomes b×r (mod p) if the result is −1, knowingthat p refers to any primitive 2^(t)th root of 1 in the field CG(p).Therefore, the key <2^(t−2), p> transforms the new approximation into 1.It may still be approached by using the key <2^(t−3), p> and bymultiplying with b2 (mod p) if necessary, and so forth.

The following algorithm solves the equation. It uses numbers a, b, p, rand t, as defined above and two variables: c represents the successivecorrections and w the successive approximations. At the beginning of thealgorithm, c=b and w=r. At the end of the calculation, the two solutionsare w and p−w.

For i from t−2 to 1, repeat the following sequence:

Apply key <2^(t), p> to number w³/a (mod p) in order to obtain +1 or −1.

When −1 is obtained, replace w by w×c (mod p).

Replace c by c2 (mod p).

Applicability of the principles—By definition we state that a parameterk, a base number g and a prime factor p are compatible when the equationx^(v)≡g² (mod p) where exponent v is 2^(k), has solutions in x in thefield CG(p). Numbers k and g are small and larger than 1. Number p is alarge prime number.

When t=1, i.e. p≡3 (mod 4), the equation has two solutions.

When t=2, i.e. p≡=5 (mod 8), according to the Legendre symbol of g withrespect to p, the equation has four solutions if (g|p)=+1; it does nothave any solution if (g|p)=−1.

When t>2, i.e. p≡1 (mod 8), let u be the number such that 2^(lt) dividesthe rank of the public number G=g² with respect to p, but such that2^(u+1) does not divide it; therefore, u is equal to one of the numbersfrom 0 to t−1. The equation has no solution if u>0 and k+u>t; it has2^(k) solutions if k+u≦t; it has 2^(t) solutions if u=0 and k>t.

Therefore, there are two types of compatibility according to whether Gis in a cycle, or else in a suitable position in a branch.

When G is in a cycle, i.e. u=0, regardless of the value of k, there is asolution of odd rank in the cycle and solutions of even rankdisseminated in α=min(k, t) consecutive branches related to the cycle,i.e. 2^(α) solutions in all. FIG. 2A illustrates this case with k≧t=3,i.e. a prime factor congruent to 9 (mod 16), which imposes that u=0.

When G is in a suitable position in a branch, i.e. u>0 and u+k≦t, thereare 2^(k) solutions, all of even rank and in the branch. FIG. 2Billustrates this case.

Given a parameter k, there are therefore two types of prime factorsaccording to whether the value of t is less than k or else larger thanor equal to k.

For any prime factor p_(j), such as t<k, each G_(i) should be in acycle, and there is no solution in the branch related to G_(i). Let usdefine a number Δ_(i,j) which is +1 or −1 according to whether g_(i) or−g_(i) is in the cycle. There is n o choice for any of the m numbersΔ_(1,j) to Δ_(m,j). FIG. 3A illustrates a case with t<k: G_(i) is in acycle with a prime factor p_(j) congruent to 9 (mod 16), i.e. u=0, t=3with k>3.

For any prime factor p_(j) such that t≧k, each G_(i) should be such thatu+k≦t, i.e., either in a cycle with u=0 or else, in a suitable positionin a branch with 1≦u≦t−k. Let us define a number Δ_(i,j) which is +1 or−1 according to whether Q_(ij) is in the portion of the graph related tog_(i) or to −g_(i). There is a choice for each of the m numbers Δ_(1,j)to Δ_(m,j); each number Δ_(i,j) may individually be switched from onevalue to the other. FIG. 3B illustrates a case when t≧k: G_(i) is in abranch with a prime factor p_(j) congruent to 17 (mod 32), i.e., u=1,t=4 with k=3.

Each set of f components {Δ_(i,j) . . . Δ_(i,f)} is a square root ofunity in CG(p_(j)). This root is trivial or not according to whether thef components are equal or not; we then state that the set of fcomponents is constant or variable, which expresses the fact that thenumber q_(i) is either trivial or not. Therefore, when a number q_(i) isnon-trivial, the set of f components {Δ_(i,l) . . . Δ_(i,f)} summarizesa factorization of the module. It is therefore possible to test theprinciples before calculating the private components Q_(i,j).

When a public number G_(i) is in a cycle for a prime factor p_(j), thenumber Δ_(i,j) is +1 or −1, according to whether g_(i) or −g_(i) is inthe cycle. When p_(j)≡3 (mod 4), this is Legendre's symbol:Δ_(i,j)=(g_(i)|p_(j))

When a public number G_(i) is in a suitable position in a branch for aprime factor p_(j), the value to be given to Δ_(i,j) may be determinedby computing the private component Q_(i,).

Production of sets of keys—Given a parameter k, there are twostrategies.

Either the generator requires f prime factors in order to determine mbase numbers. The first prime numbers: 2, 3, 5, 7, . . . are examinedfor evaluating their compatibility with each of the f large primefactors p₁ to p_(f). Although g=2 is not compatible with p≡5 (mod 8), 2may enter into the composition of a base number. Indeed, when twonumbers are in a similar position in a branch, their product is closerto the cycle, exactly as a square brings the cycle closer. A base numbermay thereby be obtained by composing the numbers which are notappropriate individually.

Or the generator requires m base numbers and characteristics of themodule such that a bit size (for example, 512, 768, 1024, 1536, 2048)and a number of bits successive to 1 with strong weights (for example,1, 8, 16, 24, 32) in order to determine f>2 prime factors. Noted as G₁,G₂, . . . G_(m), the base numbers generally appear among the first primenumbers: 2, 3, 5, 7, 11 . . . or else these are combinations of thefirst prime numbers. Unless indicated otherwise, these are the first mprime numbers; G₁=2, G₂=3, G₃=5, G₄=7, . . . Let us note that p≡5 (mod8), is not compatible with g=2. Module n will be the product of f primefactors with close sizes, i.e. the size assigned to the module dividedby f.

First principle—The parameter k, each prime factor from p₁ to p_(f) andeach base number g from g₁ to g_(m) should be compatible. Let us definea number h such as 2^(h) divides the rank of g with respect to p,whereas 2^(h+1) does not divide it. To compute the number h, thefollowing procedure uses Legendre's symbol (g|p) and a number b, aprimitive 2^(t)th root of unity in CG(p).

If (g|p)=+1 with t=1, return “h=0”.

If (g|p)=+1 with t>1, apply the key <(p−1+2^(t))/2^(t+1), p> to G inorder to obtain a result called w.

If w=+g, return “h=0”.

If w=p−g, return “h=1”.

Else, set c to b and for i from t−1 to 2,

Apply key <2^(i), p> to w|g (mod p) in order to obtain ±1,

If −1, set h to i and replace w with w×c (mod p),

Replace c with c2 (mod p).

Return “value of h from 2 to t−1”.

If (g|p)=−1, return “h=t”.

Let us recall that k, g and p are incompatible when u>0 with k+u>t; theyare compatible when h=0 or 1, regardless of the value of k, and equallywhen k>1 with k+h≦t+1.

Second principle—The three following procedures correspond to differentimplementations of the second principle. In certain implementations, thesecond principle may be reinforced to the point of requiring that eachnumber q₁ to q_(m) be not trivial. The role of the base numbers is thenbalanced; balancing or not the second principle has an effect of certainaspects of the demonstration of the security of the scheme. Finally,when there are f>2 distinct prime factors, among the m numbers {q₁ . . .q_(m)}, it may be required that there be at least one subset of f−1independent numbers.

The three procedures use m×f numbers δ_(i,j) defined as follows.

When p_(j) is such that t<k, for i from 1 to m, δ_(i,j)=Δ_(i,j), i.e. +1if h_(i,j)=0 and −1 if h_(i,j)=1.

When p_(j) is such that t≧k, for i from 1 to m, δ_(i,j)=0, which meansthat Δ_(1,j) to Δ_(m,j) may be selected according to the secondprinciple.

A first procedure ascertains that at least one set {δ_(i,1) . . .δ_(i,f)} is variable or zero, i.e. that at least one number q₁ to q_(m)is non-trivial or may be chosen as non-trivial.

For i from 1 to m and j from 1 to f,

if δ_(i,j)=0 or ≠δ_(i,1), return “success”.

Return “failure”.

A second procedure ascertains that each set {δ_(i,1) . . . δ_(i,f)} isvariable or zero, i.e. that each number q₁ to q_(m) is non-trivial ormay be chosen as non-trivial.

For i from 1 to m,

For j from 1 to f,

if δ_(i,j)=0 or ≠δ_(i,1), skip to the next value of i,

Return “failure”.

Return “success”.

A third procedure ascertains that each pair of prime factors p_(j1) andp_(j2), with 1≦_(j1)≦j₂≦f, there is at least one set {δ_(i,1) . . .δ_(i,j)} where δ_(i,j1) is zero or different from δ_(i,j2). It obviouslyfails when m is smaller than f−1. When it succeeds, among the m numbersq₁ to q_(m), there is at least one set of independent f−1 numbers withrespect to the f prime factors.

For j₁ from 1 to f−1 and for j₂ from j₁+1 to f,

For i from 1 to m,

If δ_(i,j1)=0 or ≠δ_(i,j2), skip to the next values of j₁ and j₂,

Return “failure”.

Return “success”.

When a procedure fails, the generator of GQ2 key sets follows itsstrategy chosen from the two possible strategies:

Change one of the m base numbers while keeping the f prime factors,

Change one of the f prime factors while keeping the m base numbers.

Third principle—The following procedure determines whether the set ofgeneralized GQ2 keys, either during production or already produced, is

either a set of elementary GQ2 keys, i.e. that the 2×m numbers ±g₁ to±g_(m) are all non-quadratic residues,

or else, a set of complementary GQ2 keys, i.e. that among the 2×mnumbers ±g₁ to ±g_(m), there is at least one quadratic residue.

The procedure uses both Legendre's symbols (g_(i)|p_(j)) and(−g_(i)|p_(j)) for i from 1 to m and for j from 1 to f.

For i from 1 to m,

For j from 1 to f,

If (g_(i)|p_(js)=−)1, skip to the next value of i.

Return “set of complementary GQ2 keys”.

For j from 1 to f,

If (g_(i)|p_(i))=−1, skip to the next value of i.

Return “set of complementary GK2 keys”.

Return “set of elementary GK2 keys”.

Private components—For an equation of the direct type: x^(v)≡g_(i) ²(mod p_(j)) the following computation establishes all the possiblevalues for the private component Q_(i,j). The two simplest and mostcurrent cases, i.e. t=1 and t=2, are followed by the more complex case,i.e. t>2.

For t=1, i.e. p_(j)≡3 (mod 4), the key <(p_(j)+1)/4,p_(j)> provides thequadratic square root of any quadratic residue in CG(p_(j)). From this,a number is derived

s_(j)≡((p_(j)+1)/4)^(k) (mod (p_(j)−1)/2), which gives a key <s_(j),p_(j)> transforming G_(i) into w≡G_(i) ^(sj) (mod p_(j)). Q_(i,j) isequal to w or p_(j)−w.

For t=2, i.e. p_(j)≡5 (mod 8), the key <(p_(j)+3)/8, p_(j)> provides thesquare root of odd rank for any element of odd rank in CG(p_(j)). Fromthis, a number is derived s_(j)≡((p_(j)+3)18)^(k) (mod (p_(j)−1)/4),which gives a key <s_(j), p_(j)> transforming G_(i) into w≡G_(i) ^(sj)(mod p_(j)). Let us note that z≡2^((pj−1)/4) (mode p_(j)) is a squareroot of −1 because 2 is a non-quadratic residue in CG (p_(j)). Q_(i,j)is either equal to w or to p_(j)−w or else to w′≡w×z (mod p_(j)) orp_(j)−w′.

For p_(j)2^(t)+1 (mod 2^(t+1)) with t>2, key <(p_(j)−1+2^(t))/2^(t+1),p_(j)> provides the square root of odd rank of any element of odd rank.The compatibility test between k, g and p gave the value of h, next thatof u.

When G_(i) is in a cycle (u=0, regardless of the value of k), a numberis established,

s_(j)≡((p_(j)−1+2^(t))/2^(t+l))^(k) (mod (p_(j)−1)/2^(t)). Key <s_(j),p_(j)>transforms G_(i) into the solution of odd rank w≡G_(i) ^(sj) (modp_(j)). There are solutions of even rank distributed in min(k, t)consecutive branches related to the cycle, let us say, in α branches.Q_(i,j) is equal to the product of w by any of the 2^(α)th roots ofunity in CG(p_(j)).

When G_(j) is in a suitable position in a branch (u>0, u+k≦t), all thesolutions are in the same branch as G_(j), a branch related to a cycleby the 2^(lt)th power of the number G_(i). A number is established as

s_(j)≡((p_(j)−1+2^(t))/2^(t+1))_(k+u) (mod (p_(j)−1)/2^(t).

Key <s_(j), p_(j)> transforms the 2^(u)th power of G_(i) into a numberof odd rank w. The set of products of w with the primitive 2^(k+u)throots of unity in CG(p_(j)) comprises the 2^(k) values of Q_(i,j).

When p_(j) is such that t≧k, as number b_(j) is a primitive 2^(t)th rootof unity in CG(p_(j)), the 2^(t−u)th power of b_(j) in CG(p_(j)) exists;this is a primitive 2^(k)th root of unity. The value of number Δ_(i,j)may be switched by multiplying Q_(i,j) by a primitive 2^(k)th root ofunity.

For an equation of the inverse type: 1≡x^(v)×g_(i) ² (mod p_(j)), it issufficient to replace number s_(j) with ((p_(j)−1)/2^(t))−s_(j) in thekey <s_(j), p_(j)>, which amounts to inverting the value of Q_(i,j) inCG(p_(j)).

Example of a Set of Keys with Two Prime Factors Congruent to 5 (mod 8)

p₁=E6C83BF428689AF8C35E07EDD06F9B39A659829A58B79CD89 4C435C95F32BF25

p₂=11BF8A68A0817BFCC00F15731C8B70CEF9204A34133A0DEF8 62829B2EEA74873D

n p₁×p₂=FFFF8263434F173D0F2E76B32D904F56F4A5A6A50008C43D32B650E9AB9AAD2EB713CD4F9A97C4 DBDA3828A3954F296458D5F42C0126F5BD6B05478BEOA80ED1

Here are the Legendre symbols of the very first prime numbers.(2|p ₁)=−1; (3|p ₁)=−1; (5|p ₁)=+1; (7|p ₁)=−1;(1|p ₁)=+1; (13|p ₁)=−1; (17|p ₁)=+1;

In CG(p₁), the rank is odd for −5, −11 and 17.(2|p ₂)=−1; (3|p ₂)=+1; (5|p ₂)=+1; (7|p ₂)=+1;(11|p ₂)=+1; (13|p ₂)=−1; (17|p ₂)=−1;

In CG(p₂), the rank is odd for 3, −5, 7 and 11.

Carmichael's function is

λ(n)=scm((p₁−1)/4, (p₂−1)/4).

λ(n)=33331A13DA4304A5CFD617BD6F834311642121543334F40C3D57A9C8558555D5BDAA2EF6AED17B9E3794F51A6 5A1B37239B18FA9B0F618627D8C7E1D8499C1B

With k=9, the number σ≡λ(n)−((1+λ(n))/2)⁹ (mod λ(n)) is used as aprivate exponent, in order to use the generic equations of the inversetype.

σ=01E66577BC997CAC273671E187A35EFD25373ABC9FE6770E7446C0CCEF2C72AF6E89D0BE277CC6165F1007187AC58028BD 2416D4CC1121E7A7A8B6AE186BB4B0

Numbers 2, 3, 7, 13 and 17 are not suitable as base numbers.

Key <σ,n> transforms g₁=5 into a private number Q₁ which does not showsany factorization. Indeed, in both fields, −5 is on a cycle.

Q₁=818C23AF3DE333FAECE88A71C4591A70553F91D6C0DD5538EC0F2AAF909B5BDAD491FD8BF13F18E3DA3774CCE19D0097BC4BD47C5D6EOE7EBF6D89FE3DC5176C

Key <σ,n> transforms g₂=11 into a private number Q₂ which shows afactorization. Indeed, 11 is not in the same position in both fields.

Q₂=25F9AFDF177993BE8652CE6E2C728AF31B6D66154D3935AC53 5196B07C19080DC962E4E86ACF40D01FDC454F2565454F2900 50DA052089EEC96A1B7DEB92CCA7

Key <σ,n>transforms g₃=21=3×7 into a private number Q₃ which shows afactorization.

Q₃₌₇₈A8A2F30FEB4A5233BC05541AF7B684C2406415EA1DD 67D18A0459A1254121E95D5CAD8A1FE3ECFE0685C96CC7EE86167D99532B3A96B6BF9D93CAF8D4F6AF0

Key <σ,n> transforms g₄=26=2×13 into a private number Q₄ which shows afactorization.

Q₄=6F1748A6280A200C38824CA34C939F97DD2941DAD300030E481B738C62BF8C673731514D1978AF5655FE493D659514A6CE897AB76C01E50B5488C5DAD 12332E5

The private key may further be represented by both prime factors, theparameter of the Chinese remainders and eight private components.α≡(p₂(mod p₁))⁻¹(mod p₁)=ADE4E77B703F5FDEAC5B9AAE825D649E06692D15FBFODF737B15DC4D012FD1D

Q_(1,1)≡Q₁(mod p₁)=7751 AEE918A8F5CE44AD73D613A4F465E06C6F9AF4D229949C74DD6C18D76FAF

Q_(1,2)≡Q₁(mod p₂)=A9EB5FA1B2A981AA64CF88C382923 DB64376F5FD48152C08EEB6114F31B7665F

Q_(2,1)≡Q₂(mod p₁)=D5A7D33C5FB75A033F2FOE8B20274B957FA34004ABB2C2AC1CA3F5320C5A9049

Q_(2,2)≡Q₂(mod p₂)=76C9F5EFD066C73A2B5CE9758 DB512DFC011F5B5AF7DA8D39A961CC876F2DD8F

Q_(3,1)≡Q₃(mod p₁)=2FEC0DC2DCA5BA7290B27BC8CC85C938A514B8F5CFD55820A174FB5E6DF7B883

Q_(3,2)≡Q₃(mod p₂)=010D488E6BOA38A1CC406CEE0D55DE59013389D8549DE493413F34604A160C1369

Q_(4,2)≡Q₄(mod p₁)=A2B32026B6F82B6959566FADD9517 DB8ED8524652145EE159DF3DCOC61FE3617

Q_(4,2)≡Q₄(mod p₂)=011A3BB9B607F0BD71BBE25F52B305C224899E5F1F8CDC2FE0D8F9FF62B3C9860F

Polymorphism of the private key GQ2—The different possiblerepresentations of the private key GQ2 prove to be equivalent: they allamount to knowing the factorization of the module n which is the actualGK2 private key. The representation of the GQ2 private key has an effecton the progress of the computations within the demonstrating entity hutnot within the controlling entity. Here are the three mainrepresentations which are possible for the GQ2 private key. 1) Theconventional representation of GQ private keys consists in storing mprivate numbers Q_(i) and the public checking key <v, n>; for the GQ2schemes, this representation is in competition with the following two.2) The optimum representation in terms of work loads consists in storingthe parameter k, the f prime factors p_(j), the m×f private componentsQ_(i,j) and the f−1 parameters of the Chinese remainders. 3) The optimumrepresentation in terms of private key size consists in storing theparameter k, the m base numbers g_(i) and the f prime factors p_(j), andthen in starting each use by establishing either m private numbers Q_(i)and the module n so that it amounts to the first representation, or m×fprivate components Q_(i,j) and the f−1 parameters of the Chineseremainders so that it amounts to the second representation.

Because the security of the dynamic authentication mechanism or of thedigital signature is equivalent to knowing a factorization of themodule, with the GQ2 schemes, it is not possible to distinguish twoentities using the same module simply. Generally, each proving entityhas its own GQ2 module. However, GQ2 modules with four prime factors maybe specified, two of which are known to an entity and the other two toanother one.

Dynamic authentication—The dynamic authentication mechanism is forproving to an entity called a controller, the authenticity of anotherentity called a demonstrator as well as the authenticity of a possibleassociated message M, so that the controller ascertains that it isactually dealing with the demonstrator and optionally that itself andthe demonstrator are speaking of the same message M. The associatedmessage M is optional, which means it may be empty.

The dynamic authentication mechanism is a sequence of four acts: anengagement act, a challenge act, a response act and a checking act. Thedemonstrator plays the engagement and response acts. The controllerplays the challenge and checking acts.

Within the demonstrator, a witness may be isolated, in order to isolatethe most sensitive parameters and functions of the demonstrator, i.e.the production of commitments and responses. The witness has theparameter k and the GQ2 private key, i.e. the factorization of themodule n according to one of the three representations mentioned above:• the f prime factors and the m base numbers, • the m×f privatecomponents, the f prime factors and the f−1 parameters of the Chineseremainders, • the m private numbers and the module n.

The witness may correspond to a particular embodiment, for example • achip card connected to a PC forming together the demonstrator or even •programs particularly protected within a PC or even • programsparticularly protected within a chip card. The thereby isolated witnessis similar to the witness defined hereafter within the signing entity.Upon each execution of the mechanism, the witness produces one or morecommitments R, and then as many responses D to as many challenges d.Each set {R, d, D} forms a GQ2 triplet.

In addition to it comprising the witness, the demonstrator also has ahashing function and a message M, if necessary.

The controller has the module n, for example, from a directory of publickeys or even from a certificate of public keys; if necessary, it alsohas the same hashing function and a message M′. The GQ2 publicparameters, i.e. numbers k, m and g₁ to g_(m) may be provided to thecontroller by the demonstrator. The controller is able to reconstruct acommitment R′ from any challenge d and from any response D. Parameters kand m inform the controller. Unless indicated otherwise, the m basenumbers from g₁ to g_(m) are the first m prime numbers. Each challenged₁ should include m elementary challenges referenced from d_(l) tod_(m): one per base number. Each elementary challenge from d_(l) tod_(m) is a number from 0 to 2^(k-1)−1 (numbers from v/2 to v−1 are notused). Typically, each challenge is coded by m times k−1 bits (and not mtimes k bits). For example, with k=5 and m=4 base numbers, 5, 11, 21 and26, each challenge includes 16 bits transmitted on four quartets. Whenthe possible (k−1)×m challenges are equally probable, the number (k−1)×mdetermines the security brought by each GQ2 triplet: an impostor who bydefinition, does not know the factorization of the module n, has onechance of success out of 2^((k−1)×m, exactly. When(k−)1)×m is from 15 to20, one triplet is sufficient for reasonably ensuring dynamicauthentication. In order to achieve any level of security, triplets maybe produced in parallel; they may also be produced in sequence, i.e.repeat the execution of the mechanism.

1) The act of commitment comprises the following operations.

When the witness does not use the Chinese remainders, it has theparameter k, the m private numbers from Q₁ to Q_(m) and module n; itrandomly and privately picks one or more random numbers r (0<r<n); andthen by successively squaring them k times (mod n), it transforms eachrandom number r into a commitment R.R≡r ^(v)(mod n)

Here is an example with the previous set of keys without the Chineseremainders.

r=5E94B894AC24AF843131F437C1B1797EF562CFA53AB8AD426C1AC016F1C89CFDA13120719477C3E2FB4B4566088E10EF9C010E8F09C60D981512198126091996

R 6BBF9FFA5D509778D0F93AE074D36A07D95FFC38F70C8D7E3300EBF234FA0BC20A95152A8FB73DE81FAEE5BF4FD3EB7F5EE3E36D7068D083EF7C93F6FDDF673A

When the witness uses the Chinese remainders, it has the parameter k,the first f prime factors from p₁ to p_(f), f−1 parameters of Chineseremainders and m×f private components Q_(i,j); it randomly and privatelypicks one or more collections of f random numbers: every collectionincludes one random number r_(i) per prime factor p_(i)(0<r_(i)<p_(i));and then by successively squaring it k times (mod p_(i)), it transformseach random number r_(i) into a commitment component R_(i).R _(i) ≡r _(i) ^(V)(mod p _(i))

For each collection of f commitment components, the witness establishesa commitment according to the Chinese remainder technique. There are asmany commitments as there are random number collections

R=Chinese remainders(R₁, R₂, . . . R_(f))

Here is an example with the previous set of keys and with the Chineseremainders.

r₁=5C6D37F0E97083C8D120719475E080BBBF9F7392F11F3E2 44FDF0204E84D8CAE

R₁=3DDF516EE3945CB86D20D9C49E0DA4D422811D07A7607 4DD4FE20C5C7C5E205DF66

r₂=AC8F85034AC78112071947C457225E908E83A2621B0154 ED15DBFCB9A4915AC3

R₂=01168CEC0F661EAA15157C2C287C6A5B34EE28F8EB4D8D 340858079BCAE4ECB016

R=Chinese remainders(R₁,R₂)=0AE51D90CB4FDC3DC757C56E063C9ED86BE153B71FC65F47C123C27F082BC3DD15273D4A923804718573F2F05E991487D17DAE0AAB7DF0D0FFA23E0FE59F95F0

In both cases, the demonstrator transmits to the controller, either allor part of each commitment R, or else a hashing code H obtained byhashing each commitment R and a message M.

2) The act of challenge consists in randomly picking one or morechallenges d, each consisting of m elementary challenges d₁, d₂, . . .d_(m); each elementary challenge d_(i) is one of the numbers from 0 tov/2−1.

d=d₁d₂ . . . d_(m)

Here is a challenge for both examples, i.e. with k=5 and m=4.

d₁=1011=11=‘B’; d₂=0011=3; d₃=0110=6; d₄=1001=9,

d=d ₁∥d₂∥d₃∥d₄=1011001101101001=B369

The controller transmits each challenge d to the demonstrator.

3) The act of response includes the following operations.

When the witness does not use Chinese remainders, it has the parameterk, the m private numbers from Q₁ to Q_(m) and the module n; it computesone or more responses D by using each random number r from thecommitment act and the private numbers according to the elementarychallenges.D≡r _(i) ×Q _(i) ^(d1) ×Q ₂ ^(d2) × . . . Q _(m) ^(dm)(mod p _(i))

Here is the continuation of the example without the Chinese remainders.

D=027E6E808425BF2B401FD00B15B642B1A8453BE8070D86C0A7870E6C1940F7A6996C2D871EBE611812532AC5875EOE116CC8BA648FD8E86BE0B2ABCC3CCBBBE4

When the witness uses Chinese remainders, it has the parameter k, fprime factors from p₁ to p_(f), the f−1 Chinese remainder parameters andm×f private components Q_(i,j); it computes one or more collections of fresponse components by using each collection of random numbers from thecommitment act: each collection of response components includes onecomponent per prime factor.D≡r×Q _(1,i) ^(d1) ×Q _(2,i) ^(d2) × . . . Q _(m,i) ^(dm) (mod p _(i))

For each collection of response components, the witness establishes aresponse according to the Chinese remainder technique. There are as manyresponses as there are challenges.

D=Chinese remainders(D₁, D₂, . . . D_(f))

Here is the continuation of the example without the Chinese remainders.D1=r _(i) ×Q _(1,1) ^(d1) ×Q _(2,1) ^(d2) ×Q _(3,1) ^(d3) ×Q _(4,1)^(d4)(mod p ₁)C71F86F6FD8F955E2EE434BFA7706E38E5E715375BC2CD2029A 4BD572A9EDEE6D2=r ₂ ×Q _(1,2) _(d1) ×Q _(2,2) ^(d2) ×Q _(3,2) ^(d3) ×Q _(4,2)^(d4)(mod p ₂)0BE022F4A20523F98E9F5 DBEC0E10887902F3AA48C864A6C354 693AD0B59D85E90CE7EA43CB8EA89ABDD0C814FB72ADE74F02FE6F098ABB98C8577A660B9CFCEAECB93BE1BCC356811BF12DD667E2270134C9073B9418CA5EBF5191218D3FDB3

In both cases, the demonstrator transmits each response D to thecontroller.

4) The act of checking consists in checking that each triplet {R, d, D}satisfies an equation of the following type for a non-zero value,

R×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$≡D² ^(k) (mod n) or else R≡D×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n)

or, in restoring each commitment: none of them must be zero

R′≡D² ^(k) /

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n) or else R′≡D² ^(k) ×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n)

Optionally, the controller then computes a hashing code H′ by hashingeach restored commitment R′ and the message M′. Dynamic authenticationis successful when the controller thus retrieves what it has received atthe end of the commitment act, i.e., all or part of each commitment R,or the hashing code H.

For example, a sequence of elementary operations transforms response Dinto a commitment R′. The sequence comprises k squares (mod n) separatedby k−1 divisions or multiplications (mode n) by base numbers. For thei-th division or multiplication, which is performed between the i-thsquare and the i+1-th square, the i-th bit of the elementary challenged₁, indicates if g₁ must be used, the i-th bit of the elementarychallenge d₂ indicates if g₂ must be used, . . . up to the i-th bit ofthe elementary d_(m) which indicates if g_(m) must be used.

Here is the end of the example without the Chinese remainders.

D=027E6E808425BF2B401FD00B15B642B1A8453BE8070D86C0A7870E6C1940F7A6996C2D871EBE611812532AC5875E0E116CC8BA648FD8E86BE0B2ABCC3CCBBBE4

Take the square modulo n:88BA681DD641D37D7A7D9818D0DBEA82174073997C6C32F7FCAB30380C4C6229B0706D1AF6EBD84617771C31B4243C2F0376CAF5DCEB644F098FAF3B1EB49B39

Multiply by 5 times 26=130, i.e. ‘82’ modulo n:6ECABA65A91C22431C413E4EC7C7B39FDE14C9782C94FD6FA3CAAD7AFE192B9440C1113CB8DBC45619595D263C1067D3D0A840FDE008B415028AB3520A6AD49D

Take the square modulo n:0236D25049A5217B13818B39AFB009E4D7D52B17486EBF844D64CF75C4F652031041328B29EBF0829D54E3BD17DAD218174A01E6E3AA650C6FD62CC274426607

Multiply by 21, i.e. ‘15’ modulo n:2E7F40960A8BBF1899A06BBB6970CFC5B47C88E8F115B5DA594504A92834BA405559256A705ABAB6E7F6AE82F4F33BF9E91227F0ACFA4A052C91ABF389725E93

Take the square modulo n:B802171179648AD687E672D3A32640E2493BA2E82D5DC87DBA2B2CC0325E7A71C50E8AE02E299EF868DD3FB916EBCBC0C5569B53D42DAD49C956D8572E1285B0

Multiply by 5 times 11 times 21=1155, i.e. ‘483’ modulo n:3305560276310DEFEC1337EB5BB5810336FDB28E91B350D485B09188E0C4F1D67E68E9590 DB7F9F39C22BDB4533013625011248A8DC417C667B419D27CB11F72

Take the square modulo n: 8871C494081ABD1AEB8656C38B9BAAB57DBA72A4BD4EF902 9ECBFFF540E55138C9F22923963151FD0753145DF70CE22E9D019990E41 DB6104005EEB7B1170559

Multiply by 5 times 11 times 26=1430, i.e. ‘596’ modulo n:2CF5F76EEBF128A0701B56F837FF68F81A6A5D175D0AD67A14DAEC6FB68C362B1DC0ADD6CFC004FF5EEACDF794563BB09A17045ECFFF88F5136C7FBC825BC50C

Take the square modulo n:6BBF9FFA5D509778D0F93AE074D36A07D95FFC38F70C8D7E3300EBF234FA0BC20A95152A8FB73DE81FAEE5BF4FD3EB7F5EE3E36D7068D083EF7C93F6FDDF673A

The commitment r is retrieved. Authentication is successful.

Here is the end of the example with the Chinese remainders.

D=90CE7EA43CB8EA89ABDD0C814FB72ADE74F02FE6F098ABB98C8577A660B9CFCEAECB93BE1BCC356811BF12DD667E2270134C9073B9418CA5EBF5191218D3FDB3

Take the square modulo n770192532E9CED554A8690B88F16D013010C903172B266C1133B136EBE3EB5F13B170DD41F4ABE14736ADD3A70DFA43121B6FC5560CDD4B4845395763C792A68

Multiply by 5 times 26=130, i.e. ‘82’ modulo n:6EE9BEF9E52713004971ABB9FBC31145318E2A703C8A2FB3E144E7786397CD8D1910E70FA86262 DB771AD1565303AD6E4CC6E90AE3646B461D3521420E240FD4

Take the square modulo n:D9840D9A8E80002C4D0329FF97D7AD163D8FA98F6AF8FE2B2160B2126CBBDFC734E39F2C9A39983A426486BC477F20ED2CA59E664C23CA0E04E84F2F0AD65340

Multiply by 21, i.e. ‘15’ modulo n:D7DD7516383F78944F2C90116E1BEE0CCDC8D7CEC5D7D1795ED33BFE8623DB3D2E5B6C5F62A56A2DF4845A94F32BF3CAC36 0C7782B5941924BB4BE91F86BD85F

Take the square modulo n: DD34020DD0804C0757F29A0CBBD7B46A1BAF949214F74FDFE021B626ADAFBAB5C3F1602095DA39D70270938AE362F2DAE0B914855310C75BCA328A4B2643DCCDF

Multiply by 5 times 11 times 21=1155, i.e. ‘483’ modulo n:038EF55B4C826D189C6A48EFDD9DADBD2B63A7D675A0587C8559618EA2D83DF552D24EAF6BE983FB4AFB3DE7D4D2545190F1B1F946D327A4E9CA258C73A98F57

Take the square modulo n:D1232F50E30BC6B7365CC2712E5CAE079E47B971DA03185B33E918EE6E99252DB3573CC87C604B327E5B20C7AB920FDF142A8909DBBA1C04A6227FF18241C9FE

Multiply by 5 times 11 times 26=1430, i.e. ‘596’ modulo n:3CC768F12AEDFCD4662892B9174A21D1F0DD9127A54AB63C984019BED9BF88247EF4CCB56D71E0FA30CFB0FF28B7CE45556F744C1FD751BFBCA040DC9CBAB744

Take the square modulo n:0AE51D90CB4FDC3DC757C56E063C9ED86BE153B71FC65F47C123C27F082BC3DD15273D4A923804718573F2F05E991487D17DAE0AAB7DF0D0FFA23E0FE59F95F0

The commitment r is retrieved correctly. Authentication is successful.

Digital Signature

The digital signing mechanism enables an entity called a signing entityto produce signed messages and an entity called controller to ascertainsigned messages. Message M is any binary sequence: it may be empty. Themessage M is signed by adding a signature appendix to it, whichcomprises one or more commitments and/or challenges, as well as thecorresponding responses.

The controller has the module n, for example, from a directory of publickeys or even from a certificate of public keys; it also has the samehashing function. The GQ2 public parameters, i.e. numbers k, m and g₁ tog_(m) may be given to the controller by the demonstrator, for example byputting them in the signature appendix.

Numbers k and m inform the controller. Each elementary challenge from d₁to d_(m), on the one hand is a number from 0 to 2^(k−1)−1 (numbers v/2to v−1 are not used). Each challenge d on the other hand should includem elementary challenges referenced from d₁ to d_(m), as many as thereare base numbers. Further, unless indicated otherwise, the m basenumbers, from g₁ to g_(m) are the first m prime numbers. With (k−1)×mbeing from 15 to 20, it is possible to sign with four GQ2 tripletsproduced in parallel; with (k−1)×m being 60 or more, it is possible tosign with only one GQ2 triplet. For example, with k=9 and m=8, only oneGQ2 triplet is sufficient; each challenge includes eight bytes and thebase numbers are 2, 3, 5, 7, 11, 13, 17 and 19.

The signing operation is a sequence of three acts: a commitment act, achallenge act and a response act. Each act produces one or more GQ2triplets each comprising: a commitment r (≠0), a challenge d consistingof m elementary challenges referenced by d₁, d₂, . . . d_(m) and aresponse D (≠0).

The signing entity has a hashing function, the parameter k and the GQ2private key, i.e., the factorization of the module n according to one ofthe three representations mentioned above. Within the signing entity, itis possible to isolate a witness which executes the commitment andresponse acts in order to isolate the most sensitive functions andparameters of the demonstrator. In order to compute commitments andresponses, the witness has the parameter k and the GQ2 private key,i.e., the factorization of the module n according to one the threerepresentations mentioned above. The thereby isolated witness is similarto the witness defined within the demonstrator. it may correspond to aparticular embodiment, for example, • a chip card connected to a PCforming together the signing entity or even • programs particularlyprotected within a PC, or even, • programs particularly protected withina chip card.

1) The act of commitment comprises the following operations.

When the witness has the m private numbers Q₁ to Q_(m) and the module n,it randomly and privately picks one or more random numbers r (0<r<n);and then, by k successive squarings (mode n), it transforms each randomnumber r into a commitment R.R≡r ^(V)(mod n)

When the witness has f prime factors from p₁ to p_(f) and m×f privatecomponents Q_(1,j), it randomly and privately picks one or morecollections of f random numbers: each collection includes a randomnumber r_(i) per prime factor p_(i) (0<r_(i)<p₁); and then k successivesquarings (mod p_(i)), it transforms each random number r_(i) into acommitment component R_(i),R _(i)≡r_(i) ^(V)(mod p _(i))

For each collection of f commitment components, the witness establishesa commitment according to the Chinese remainder technique. There are asmany commitments as there are random number collections.r≡Chinese remainders (R ₁ , R ₂ , . . . R _(f))

2) The act of challenge consists in hashing all commitments r and themessage m to be signed in order to obtain a hashing code from which thesigning entity forms one or more challenges each comprising m elementarychallenges; each elementary challenge is a number from 0 to v/2−1; forexample, with k=9 and m=8, each challenge includes eight bytes. Thereare as many challenges as there are commitments. d=d₁, d₂, . . . d_(m),extracted from the Hash(M, R) result 3) The act of response includes thefollowing operations.

When the witness has m private numbers Q₁, to Q_(m), and module n, itcalculates one or more responses D by using each random number r of thecommitment act and the private numbers according to the elementarychallenges.X≡Q ₁ ^(d1) ×Q ₂ ^(d2) × . . . Q _(m) ^(dm)(mod n)D≡r×X(mod n)

When the witness has f prime factors from p₁ to p_(f) and m×f primecomponents Q_(i,j), it calculates one or more collections of f responsecomponents by using each collection of random numbers from thecommitment act; each collection of response components includes onecomponent per prime factorx≡Q _(1,i) ^(d1) ×Q _(2,i) ^(d2) × . . . Q _(m,i) ^(dm)(mod p _(i))D _(i) ≡r _(i) ×X _(i)(mod p _(i))

For each collection of response components, the witness establishes aresponse according to the Chinese remainder technique. There are as manyresponses as there are challenges.

D=Chinese remainders (D₁, D₂, . . . D_(f))

The signing entity signs the message M by adding a signature appendixcomprising:

either each GQ2 triplet, i.e., each commitment R, each challenge d andeach response D,

or each commitment R and each corresponding response D,

or each challenge d and each corresponding response D.

The running of the verification operation depends on the contents of thesignature appendix. Three cases are distinguished.

Should the appendix comprises one or more triplets, the checkingoperation includes two independent processes for which chronology isindifferent. The controller accepts the signed message if and only if,both following conditions are satisfied.

Firstly, each triplet must be consistent (an appropriate relationship ofthe following type has to be verified) and acceptable (the comparisonhas to be done on a non-zero

R×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$≡D² ^(k) (mod n) or else R≡D² ^(k) ×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n)

For example, the response D is converted by a sequence of elementaryoperations: k squares (mod n) separated by k−1 multiplication ordivision operations (mod n) by base numbers. For the i-th multiplicationor division which is performed between the i-th square and the i+ 1stsquare, the i-th bit of the elementary challenge d, indicates whether itis necessary to use g₁, the i-th bit of the elementary challenge d₂indicates whether it is necessary to use g₂, . . . Up to the i-th bit ofthe elementary challenge d_(m) which indicates if it is necessary to useg_(m). It is thus necessary to retrieve each commitment R present in thesignature appendix.

Furthermore, the triplet or triplets must be linked to the message M. Byhashing all the commitments R and the message M, a hashing code isobtained from which each challenge d must be recovered.

d=d₁d₂ . . . d_(m), identical to those extracted from the result Hash(M,R).

If the appendix has no challenge, the checking operation starts with thereconstitution of one or more challenges d′ by hashing all thecommitments R and the message M.

d=d′₁d′₂ . . . d′_(m), extracted from the result Hash(M, R).

Then, the controller accepts the signed message if and only if eachtriplet is consistent (an appropriate relationship of the following typeis verified) and acceptable (the comparison is done on a non-zerovalue).

R×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}^{\prime}}$≡D² ^(k) (mod n) or else R≡D² ^(k) ×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}^{\prime}}$(mod n)

Should the appendix comprise no commitment, the checking operationstarts with the reconstitution of one or more commitments R′ accordingto one of the following two formulae, namely the one that isappropriate. No re-established commitment should be zero.

R′≡D² ^(k) /

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n) or else R′≡D₂ ^(k) ×

$\prod\limits_{i = 1}^{m}\; G_{i}^{d_{i}}$(mod n)Then, the controller must hash all the commitments R′ and the message Mso as to reconstitute each challenge d.

d=d₁d₂ . . . d_(m), identical to those extracted from the result Hash(M, R′).

The controller accepts the signed message if and only if eachreconstituted challenge is identical to the corresponding challenge inthe appendix.

1. A computer-implemented process comprising: obtaining a set of one ormore private values Q₁, Q₂, . . . , Q_(m) and respective public valuesG₁,G₂, . . . ,G_(m), each pair of keys (Q_(i),G_(i)) verifying eitherthe equation G_(i)·Q_(i) ^(v)≡1 mod n or the equation G_(i)≡Q_(i) ^(v)mod n, wherein m is an integer greater than or equal to 1, i is aninteger between 1 and m, and wherein n is a public integer equal to theproduct of f private prime factors designated by p_(i), . . . , p_(f),at least two of these prime factors being different from each other,wherein f is an integer greater than 1, and wherein v is a publicexponent such that v=2^(k), wherein k is a security parameter having aninteger value greater than 1, and wherein each public value G_(i)(fori=1, . . . ,m) is such that G_(i)≡g_(i) ² mod n, wherein g_(i)(for i=1,. . . ,m) is a base number having an integer value greater than 1 andsmaller than each of the prime factors p₁, . . . , p_(f), and wherein,for at least one integer value l between 1 and m, g_(l) or (−g_(l)) is aquadratic residue of the body of integers modulo n, and wherein, for atleast one integer value s between 1 and m, q_(s) is neither congruent tog_(s) mod n nor congruent to (−g_(s)) mod n, wherein, for i=1, . . . ,m,q_(i)≡Q_(i) ^(−v/2) mod n in the case G_(i)×Q_(i) ^(v)=1 mod n andq_(i)=Q_(i) ^(v/2) mod n in the case G_(i)=Q_(i) ^(v) mod n; and usingat least the private values Q₁,Q₂, . . . ,Q_(m) in an authentication orin a signature method.
 2. The computer-implemented process according toclaim 1, further comprising: receiving a commitment R from ademonstrator, the commitment R having a value computed such that:R=r^(v) mod n, wherein r is an integer such that 0<r<n randomly chosenby the demonstrator; selecting m challenges d₁,d₂, . . . ,d_(m)randomly; sending the challenges d₁,d₂, . . . ,d_(m) to thedemonstrator; receiving a response D from the demonstrator, the responseD having a value computed such that: D=r×Q₁ ^(d1)×Q₂ ^(d2× . . . ×Q)_(m) ^(dm) mod n; and determining that the demonstrator is authentic ifthe response D has a value such that: D^(v)×G₁ ^(ε) ¹ ^(d) ¹ ×G₂ ^(ε) ²^(d) ² × . . . ×G_(m) ^(ε) ^(m) ^(d) ^(m) mod n is equal to thecommitment R, wherein, for i=1, . . . ,m, ε_(i)=+1 in the caseG_(i)×Q_(i) ^(v)=1 mod n and ε_(i)=−1 in the case G_(i)=Q_(i) ^(v) modn.
 3. The computer-implemented process according to claim 1, furthercomprising: receiving a commitment R from a demonstrator, the commitmentR having a value computed using the Chinese remainder method from a setof commitment components R_(j) wherein j=1, . . . ,f, each commitmentcomponent R_(j) having a value such that R_(j)=r_(j) ^(v) mod _(j),wherein r_(j) is an integer such that 0<r_(j)<p_(j) randomly chosen bythe demonstrator; selecting m challenges d₁,d₂, . . . ,d_(m) randomly;sending the challenges d₁,d₂, . . . ,d_(m) to the demonstrator;receiving a response D from the demonstrator, the response D beingcomputed from a set of response components D_(j) using the Chineseremainder method, the response components D_(j) having a value suchthat: D_(j)=r_(j)×Q_(1,j) ^(d1)×Q_(2,j) ^(d2)× . . . ×Q_(m,j) ^(dm) modp_(j) for j=1, . . . ,f, wherein Q_(i,j)=Q_(i) mod p_(j) for i=1, . . .,m and j=1, . . . ,f; and determining that the demonstrator is authenticif the response D has a value such that: D^(v)×G₁ ^(ε) ¹ ^(d) ¹ ×G₂ ^(ε)² ^(d) ² × . . . ×G_(m) ^(ε) ^(m) ^(d) ^(m) mod n is equal to thecommitment R, wherein, for i=1, . . . ,m, ε_(i)=+1 in the caseG_(i)×Q_(i) ^(v)=1 mod n and ε_(i)=−1 in the case G_(i)=Q_(i) ^(v) modn.
 4. The computer-implemented process according to claim 1, furthercomprising: receiving a token T from a demonstrator, the token T havinga value such that T=h(M,R), wherein h is a function of two integerswhich makes use of a hash function, M is a message received from thedemonstrator, and R is a commitment having a value computed such that:R=r^(v) mod n, wherein r is an integer such that 0<r<n randomly chosenby the demonstrator; selecting m challenges d₁,d₂, . . . ,d_(m)randomly; sending the challenges d₁,d₂, . . . ,d_(m) to thedemonstrator; receiving a response D from the demonstrator, the responseD having a value such that: D=r×Q₁ ^(d) ¹ ×Q₂ ^(d2)× . . . ×Q_(m) ^(d)^(m) mod n; and determining that the message M is authentic if theresponse D has a value such that: h(M,D^(v)×G₁ ^(ε) ¹ ^(d) ¹ ×G₂ ^(ε) ²^(d) ² × . . . ×G_(m) ^(ε) ^(m) ^(d) ^(m) mod n) is equal to the tokenT, wherein, for i=1, . . . ,m, ε_(i)=+1 in the case G_(i)×Q_(i) ^(v)=1mod n and ε_(i)=−1 in the case G_(i)=Q_(i) ^(v) mod n.
 5. Thecomputer-implemented process according to claim 1, further comprising:receiving a token T from a demonstrator, the token T having a value suchthat T=h(M,R), wherein h is a function of two integers which makes useof a hash function, M is a message received from the demonstrator, and Ris a commitment having a value computed using the Chinese remaindermethod from a set of commitment components R_(j) wherein j=1, . . . ,f,each commitment component R_(j) having a value such that R_(j)×r_(j)^(v) mod p_(j), wherein r_(j) is an integer such that 0<r_(j)<p_(j)randomly chosen by the demonstrator; selecting m challenges d₁,d₂, . . .,d_(m) randomly; sending the challenges d₁,d₂, . . . ,d_(m) to thedemonstrator; receiving a response D from the demonstrator, the responseD being computed from a set of response components D_(j) using theChinese remainder method, the response components D_(j) having a valuesuch that: D_(j)=r_(j)×Q_(1,j) ^(d) ¹ ×Q_(2,j) ^(d) ² × . . . ×Q_(m,j)^(d) ^(m) mod p_(j) for j=1, . . . ,f, wherein Q_(i,j)=Q_(i) mod p_(j)for i=1, . . . ,m and j=1, . . . ,f; and determining that the message Mis authentic if the response D has a value such that: h(M, D^(v)×G₁ ^(ε)¹ ^(d) ¹ ×G₂ ^(ε) ² ^(d) ² × . . . ×G_(m) ^(ε) ^(m) ^(m) mod n) is equalto the token T, wherein, for i=1, . . . ,m, ε_(i)=+1 in the caseG_(i)×Q_(i) ^(v)=1 mod n and ε₁=−1 in the case G_(i)=Q_(i) ^(v) mod n.6. The computer-implemented process according to claim 2, wherein thechallenges are such that 0≦d_(i)≦2^(k)−1 for i=1, . . . ,m .
 7. Acomputer-implemented process according to claim 1 for allowing asignatory to sign a message M, further comprising: selecting randomly mintegers r_(i) such that 0<r_(i)<n for i=1, . . . ,m; computingcommitments R_(i) having a value such that: R_(i)=r_(i) ^(v) mod n, fori=1, . . . ,m; computing a token T having a value such that T=h(M,R₁,R₂, . . . ,R_(m)), wherein h is a function of (m+1) integers whichmakes use of a hash function and produces a binary train consisting of mbits; identifying the bits d_(i),d₂, . . . ,d_(m) of the token T; andcomputing responses D_(i)=r_(i)×Q_(i) ^(d) ^(j) mod n for i=1, . . . ,m.8. The computer-implemented process according to claim 7, furthercomprising: collecting the token T and the responses D_(i) for i=1, . .. ,m; and determining that the message M is authentic if the response Dhas a value such that: h(M,D₁ ^(v)×G₁ ^(ε) ¹ ^(d) ¹ mod n,D₂ ^(v)×G₂^(ε) ² ^(d) ² mod n, . . . ,D_(m) ^(v)×G_(m) ^(ε) ^(m) ^(d) ^(m) mod n)is equal to the token T, wherein, for i=1, . . . ,m, ε_(i)=+1 in thecase G_(i)×Q_(i) ^(V)=1 mod n and ε_(i)=−1 in the case G_(i)=Q_(i) ^(v)mod n.
 9. A system comprising: a memory storing a set of instructions;and a processor coupled to the memory for executing the set ofinstructions stored in the memory, the instructions including: obtaininga set of one or more private values Q₁,Q₂, . . . ,Q_(m) and respectivepublic values G₁,G₂, . . . ,G_(m), each pair of keys (Q_(i),G_(i))verifying either the equation G_(i)·Q_(i) ^(v)≡1 mod n or the equationG_(i)≡Q_(i) ^(v) mod n, wherein m is an integer greater than or equal to1, i is an integer between 1 and m, and wherein n is a public integerequal to the product of f private prime factors designated by p₁, . . ., p_(f), at least two of these prime factors being different from eachother, wherein f is an integer greater than 1, and wherein v is a publicexponent such that v=2^(k), wherein k is a security parameter having aninteger value greater than 1, and wherein each public value G_(i) (fori=1, . . . ,m) is such that G_(i)≡g_(i) ² mod n, wherein g_(i) (for i=1,. . . ,m) is a base number having an integer value greater than 1 andsmaller than each of the prime factors p₁, . . . , p_(f), and wherein,for at least one integer value l between 1 and m, g_(l), or (−g₁) is aquadratic residue of the body of integers modulo n, and wherein, for atleast one integer value s between 1 and m, q, is neither congruent tog_(s) mod n nor congruent to (−g_(s)) mod n, wherein, for i=1, . . . ,m,q_(i)≡Q_(i) ^(−v/2) mod n in the case G_(i)×Q_(i) ^(v)=1 mod n andq_(i)=Q_(i) ^(v/2) mod n in the case G_(i)=Q_(i) ^(v) mod n; and usingat least the private values Q₁,Q₂, . . . ,Q_(m) in an authentication orin a signature method.
 10. A computer-readable storage medium storinginstructions which when executed cause a processor to execute thefollowing acts: obtaining a set of one or more private values Q₁,Q₂, . .. ,Q_(m) and respective public values G₁,G₂, . . . ,G_(m), each pair ofkeys (Q_(i),G_(i)) verifying either the equation G_(i)·Q_(i) ^(v)≡1 modn or the equation G_(i)≡Q_(i) ^(v) mod n, wherein m is an integergreater than or equal to 1, i is an integer between 1 and m, and whereinn is a public integer equal to the product of f private prime factorsdesignated by p₁, . . . ,p_(f), at least two of these prime factorsbeing different from each other, wherein f is an integer greater than 1,and wherein v is a public exponent such that v=2^(k), wherein k is asecurity parameter having an integer value greater than 1, and whereineach public value G_(i) (for i=1, . . . ,m ) is such that G_(i)≡g_(i) ²mod n, wherein g_(i) (for i=1, . . . ,m) is a base number having aninteger value greater than 1 and smaller than each of the prime factorsp₁, . . . , p_(f), and wherein, for at least one integer value l between1 and m, g_(l) or (−g_(l)) is a quadratic residue of the body ofintegers modulo n, and wherein, for at least one integer value s between1 and m, q_(s) is neither congruent to g_(s) mod n nor congruent to(−g_(s)) mod n, wherein, for i=1, . . . ,m, q_(i)≡Q_(i) ^(−v/2) mod n inthe case G_(i)×Q_(i) ^(v)=1 mod n and q_(i)=Q_(i) ^(v/2) mod n in thecase G_(i)=Q_(i) ^(v) mod n; and using at least the private values Q₁,Q₂, . . . , Q_(m) in an authentication or in a signature method.
 11. Acomputer-implemented process for producing asymmetric cryptographickeys, said keys comprising m≧1 private values Q₁, Q₂, . . . ,Q_(m) and mrespective public values G₁,G₂, . . . ,G_(m), the computer-implementedprocess comprising: selecting a security parameter k, wherein k is aninteger greater than 1; determining a modulus n, wherein n is a publicinteger equal to the product of at least two prime factors p₁, . . .,p_(f); selecting m base numbers g₁,g₂, . . . ,g_(m), wherein each basenumber g_(i) (for i=1, . . . ,m) has an integer value greater than 1 andsmaller than each of the prime factors p₁, . . . ,p_(f), and wherein,for at least one integer value l between 1 and m, g_(l) or (−g_(l)) is aquadratic residue of the body of integers modulo n; calculating thepublic values G_(i) for i=1, . . . ,m through G_(i)≡g_(i) ² mod n; andcalculating the private values Q_(i) for i=1, . . . ,m by solving eitherthe equation G_(i)·Q_(i) ^(v)≡1 mod n or the equation G_(i)≡Q_(i) ^(v)mod n, wherein the public exponent v is such that v=2^(k), such that,for at least one integer value s between 1 and m, q_(s) is neithercongruent to g_(s) mod n nor congruent to (−g_(s))mod n, wherein, fori=1, . . . ,m, q_(i)≡Q_(i) ^(−v/2) mod n in the case G_(i)×Q_(i) ^(v)=1mod n and q_(i)=Q_(i) ^(v/2) mod n in the case G_(i)=Q_(i) ^(v) mod n.